Following the latest Facebook data breach which leaked the personal details of over 500 million users, Wired has explained what exactly caused the major data breach. According to the progressive tech outlet, the massive trove of personal data was “created by abusing a flaw in a Facebook address book contacts import feature.”
Breitbart News recently reported that hackers published the phone numbers and personal data of 533 million Facebook users, including users’ full names, locations, phone numbers, and email addresses.
A user in a low level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free online.
The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.
Insider reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with the IDs listed in the data set. We also verified records by testing email addresses from the data set in Facebook’s password reset feature, which can be used to partially reveal a user’s phone number.
Now, Wired has examined the data in-depth and has provided more context to how the latest Facebook data breach took place. Wired notes that Facebook’s initial response to the leak was that the data was previously reported on in 2019 and that the company had fixed the underlying vulnerability in August of that year.
But according to Wired, the data which first appeared on the dark web in 2019 came from a breach that the social media giant did not disclose in detail at the time and only acknowledged took place earlier this week in a blog post from the company’s product management director Mike Clark. Wired states that the dataset was “created by abusing a flaw in a Facebook address book contacts import feature.”
One source of the confusion was that Facebook has had any number of breaches and exposures from which this data could have originated. Was it the 540 million records—including Facebook IDs, comments, likes, and reaction data—exposed by a third party and disclosed by the security firm UpGuard in April 2019? Or was it the 419 million Facebook user records, including hundreds of millions of phone numbers, names, and Facebook IDs, scraped from the social network by bad actors before a 2018 Facebook policy change, that were exposed publicly and reported by TechCrunch in September 2019? Did it have something to do with the Cambridge Analytica third-party data sharing scandal of 2018? Or was this somehow related to the massive 2018 Facebook data breach that compromised access tokens and virtually all personal data from about 30 million users?
In fact, the answer appears to be none of the above. As Facebook eventually explained in background comments to WIRED and in its Tuesday blog, the recently public trove of 533 million records is an entirely different data set that attackers created by abusing a flaw in a Facebook address book contacts import feature. Facebook says it patched the vulnerability in August 2019, but it’s unclear how many times the bug was exploited before then. The information from more than 500 million Facebook users in more than 106 countries contains Facebook IDs, phone numbers, and other information about early Facebook users like Mark Zuckerburg and US secretary of Transportation Pete Buttigieg, as well as the European Union commissioner for data protection, Didier Reynders. Other victims include 61 people who list the “Federal Trade Commission” and 651 people who list “Attorney General” in their details on Facebook.
If the latest data leak came from a source other than the hack Mark Zuckerberg’s company revealed in 2019 and it wasn’t disclosed, it could spell major trouble for the firm. Former FTC Chief Technologist Ashkan Soltani commented: “At what point did Facebook say, ‘We had a bug in our system, and we added a fix, and therefore users might be affected’? I don’t remember ever seeing Facebook say that. And they’re kind of stuck now, because they apparently didn’t do any disclosure or notification.”
Before its blog acknowledging the breach, Facebook pointed to the Forbes story as evidence that it publicly acknowledged the 2019 Facebook contact importer breach. But the Forbes story is about a similar yet seemingly unrelated finding in Instagram versus main Facebook, which is where the 533-million-user leak comes from. And Facebook admits that it did not notify users that their data had been compromised individually or through an official company security bulletin.
Read more at Wired here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address firstname.lastname@example.org