The news: The personal data of 533 million Facebook users in more than 106 countries was found to be available for free online last weekend. The data treasure, discovered by a security researcher Alon gal, includes phone numbers, e-mail addresses, cities of origin, full names and dates of birth. Initially, Facebook claimed that the data breach had already been reported in 2019 and fixed the vulnerability that caused it in August. But in fact, it appears Facebook did not properly disclose the breach at the time. The company finally recognized him on Tuesday April 6 in a blog post By Director of Product Management Mike Clark.
How did it happen: In the blog post, Clark said that Facebook believed data was pulled from people’s profiles by “bad actors” using its contact import tool, which uses people’s contact lists to help them find friends on Facebook. It is not known exactly when the data was retrieved, but Facebook says it was “before September 2019”. A complicating factor is that it is very common for cybercriminals to combine different sets of data and sell it in different chunks, and Facebook has had many different data breaches over the years (the most famous Cambridge Analytica scandal).
Why timing matters: The General Data Protection Regulation entered into force in the countries of the European Union in May 2018. If this breach were to occur subsequently, Facebook could be liable to fines and enforcement action because it did not disclose the breach to the relevant regulators within 72 hours, as the GDPR states. The Irish Data Protection Commission is investigating the breach. In the United States, Facebook signed an agreement two years ago This gave him immunity from Federal Trade Commission fines for violations before June 2019, so if the data was stolen after that, he could also be prosecuted.
How to check if you’ve been affected: Although the passwords were not disclosed, the crooks could still use the information for spam or robocalls. If you want to see if you are at risk go to haveibeenpwned.com and check if your email address or phone number has been breached.