Summary List Placement
After Insider reported that the phone numbers and personal data of 533 million Facebook users were leaked online on Saturday, Facebook framed the leak as old news.
“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” a Facebook spokesperson told Insider at the time. Facebook later expanded on that statement in a blog post Tuesday reiterating that the issue that enabled the data to be scraped has been patched.
While Facebook described this issue and the data scraping methods as “previously reported,” this week marks the first time the company has addressed the breach in any detail. And according to security experts, the nature of the leaked data makes it risky for affected users regardless of when it was scraped — and downplaying that is a disservice to users, who may now be vulnerable.
That’s because some of the most sensitive data included in the leak — like their phone numbers, Facebook IDs, and locations — are unlikely to have changed since 2019.
“Facebook referring to this data as old is likely to discourage the conversation around it,” Gal said. “People who haven’t really looked into the leak might not be familiar with what exact details were involved and are likely to go on with their lives thinking it was data that is not relevant to them. But obviously that is not the case.”
Experts say that the personal data included in the breach is valuable to hackers and cybercriminals who can use it to impersonate people online or try to trick them into handing over more credentials.
Security researchers also noted that leaked phone numbers could pose dangers to people who wanted to keep their contact information private, like public figures or those trying to avoid stalkers or abusive ex-partners.
For users who try to maintain an unlisted number, the distinction between hacking and scraping might not feel that important. Lots of politicians, celebrities and people with abusive ex-partners had their phone numbers exposed.
— @mikko (@mikko) April 7, 2021
“Even though some of the unauthorized data access happened in 2019, the data is still relevant, and it is questionable if all users were aware of the earlier data leak,” said Candid Wuest, VP of cyber protection research at the security firm Acronis.
Facebook does not plan to alert users whose data may have been included in the leak, the company told Reuters on Wednesday. That’s because the company isn’t confident that it knows which users were affected and because notifying users wouldn’t fix the fact that the data was published, Facebook said.
But notifying affected users could prove a useful step in helping them avoid further damage from the hack, according to Gal.
Cybercriminals are increasingly using text messages to carry out phishing scams that try to trick people into handing over sensitive data or money, according to research from the cybersecurity firm Proofpoint. The firm’s VP Jacinta Tobin told Insider she expects the massive Facebook leak will exacerbate the amount of “smishing” attacks, or phishing schemes that use text messages.
“The online leak of personal information will undoubtedly result in a marked increase in smishing attacks,” Tobin said. “Consumers need to be very skeptical of mobile messages that come from unknown sources.”
Tobin advises people to avoid clicking on any links sent to their phones from contacts they don’t recognize. Experts are also urging people to check whether their data is included in the Facebook breach. A new tool from security researcher Troy Hunt lets people enter their phone number to check whether it was included in the leak.
“Users having their information leaked is a huge breach of trust,” Gal said, adding that Facebook could rebuild trust by “apologizing to their users, explaining what happened, [and] assuring them it will never happen again.”
NOW WATCH: Why electric planes haven’t taken off yet