Facebook Says Massive Leak Involves ‘Old’ User Data

Ireland’s data protection office said it would work with Facebook to review a massive data leak on about 530 million people worldwide, which Facebook said involves “old” data.

The leaked data surfaced over the weekend, after it was published in a freely available, searchable format on a hacking forum.

The data dump is believed to originate from an issue that occurred in early 2019, which Facebook said it fixed in August of that year.

“This is old data that was previously reported on in 2019,” the company said. “We found and fixed this issue in August 2019.”

‘Old’ data

Irish Data Protection Commissioner (DPC) deputy commissioner Graham Doyle said the recent data dump “appears to be” comprised of data from the 2019 breach, which occurred before the full force of the GDPR data protection laws came into effect.

“However, following this weekend’s media reporting we are examining the matter to establish whether the dataset referred to is indeed the same as that reported in 2019,” Doyle said.

Facebook’s European headquarters is in Dublin, making the Irish DPC the lead on any Facebook data protection issues within the EU.

The leaked data appears to have been sold and resold multiple times within the criminal hacking underworld over the past two years.

Public release

In January 2021 it was linked to an interface on Telegram which allowed anyone to retrieve the phone number and account details of a user for a small fee.

Now, however, the entire database is available to anyone via a publicly accessible hacking forum, security researchers said.

“All 533,000,000 Facebook records were just leaked for free,” wrote cyber-security researcher Alon Gal on Twitter. “This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.

“I have yet to see Facebook acknowledging this absolute negligence of your data,” Gal added.

Users from 106 countries are included in the leak, including 11 million in the UK and more than 30 million in the US.

Scam risk

About 1.5 million Irish users are included, which Irish newspaper The Independent estimated to be about one-third of all of Ireland’s mobile phone numbers.

The paper reported that it took about half an hour to track down the data cache and find the phone numbers of private individuals as well as public figures such as judges, police officers and teachers.

While Facebook may have fixed the issue that allowed the breach to take place, industry watchers noted that much of the data in the leak, such as birthdates and birthplaces, as well as phone numbers and other information, will remain current for some time to come, if not permanently.

The breach appears to be the biggest affecting Facebook to date, eclipsing one the company disclosed in October 2018 affecting 29 million users, and which at the time was considered its largest data leak to date.

GDPR enforcement

The GDPR, which came into force in 2019, strengthens data protection laws for European citizens, but the Irish DPC has come under fire from activists and other EU data protection offices over the rules’ enforcement.

Earlier this year Germany’s federal data protection regulator (BfDI), Ulrich Kelber, wrote to the European Parliament’s civil liberties, justice and home affairs (LIBE) committee that he had forwarded 50 complaints about Facebook subsidiary WhatsApp to the Irish DPC, but that “not one has, to date, been concluded”.

Irish DPC Helen Dixon in February responded to the LIBE committee’s criticism of her work with Facebook, saying the criticism was “neither sustainable nor appropriate and should be withdrawn”.