Since Saturday, a a large amount of Facebook data has circulated publicly, splattering information from some 533 million Facebook users over the Internet. Data includes names such as profile, Facebook ID numbers, email addresses, and phone numbers. It is all the kind of information that may have already been leaked or scratched from some other source, but it is another resource that combines all this data and relates it to each victim, presenting profiles sorted by scammers, phishers and spammers in payment plate.
Facebook’s initial response was simply that the data was previously reported in 2019 and that the company corrected the underlying vulnerability in August of that year. Old news. But a more detailed look at exactly where this data comes from produces a much more murky picture. In fact, the data, which first appeared on the dark criminal website in 2019, came from a loophole that Facebook did not reveal in any significant detail at the time and that it only fully acknowledged on Tuesday evening in a post on blog attributed to product management director Mike Clark.
One source of the confusion was that Facebook has had any number of violations and exposures from which this data could have originated. Were the 540 million records, including Facebook identifiers, comments, likes and reaction data, exposed by a third party and disclosed by security firm UpGuard in April 2019? Or were the 419 million Facebook user records, including hundreds of millions of phone numbers, Facebook names and identifiers, swept away from the social network by bad actors before a 2018 Facebook policy change, which were they publicly exposed and reported by TechCrunch in September 2019? Did it have anything to do with the 2018 Cambridge Analytica third-party data sharing scandal? Or was this, in some way, related to the massive Facebook data breach of 2018 that compromised access tabs and virtually all personal data of some 30 million users?
In fact, the answer seems to be none of the above. As Facebook finally explained in background comments to WIRED and its blog on Tuesday, the recently public number of 533 million records is a completely different data set that the attackers created by abusing a flaw in the import function of Facebook Address Book Contacts. Facebook says it fixed the vulnerability in August 2019, but it’s unclear how many times the bug was exploited before. Information from more than 500 million Facebook users in more than 106 countries contains Facebook identifiers, phone numbers, and other information about early Facebook users such as Mark Zuckerburg and U.S. Transportation Secretary Pete Buttigieg, as well as the European Union Commissioner for Data Protection, Didier Reynders. Other victims include 61 people indicating the “Federal Trade Commission” and 651 people indicating “Attorney General” in their Facebook data.
You can check if your phone number or email address has been exposed to the leak by visiting the HaveIBeenPwned breach tracking site. For the service, founder Troy Hunt reconciled and ingested two different versions of the floating dataset.
“When there’s an information gap in the organization involved, everyone speculates and there’s confusion,” Hunt says.
The closest Facebook to acknowledging the source of this breach was previously a comment in a fall 2019 news article. That September, Forbes reported a vulnerability related to Instagram’s mechanism for importing contacts. The Instagram error exposed the names, phone numbers, Instagram identifiers, and user account ID numbers. At the time, Facebook told the researcher that it revealed the flaw that Facebook’s security team “was already aware of the problem due to an internal finding.” Said a spokesman Forbes at the time, “We changed the contact importer on Instagram to help prevent possible abuse. We are grateful to the researcher who raised this issue.” Forbes noted in the September 2019 story that there was no evidence that the vulnerability had been exploited, but there was also no evidence that it had not been.