2019: 309 million users in Dec (Hacker in Vietnam)
Facebook ended 2019 on a high note when yet another database was left exposed. More than 300 million phone numbers, names and logins of Facebook users were left unprotected on the dark web for nearly two weeks. Security expert Bob Diachenko, who discovered the breach, reported that it was the result of an illegal scraping operation or Facebook API abuse by hackers in Vietnam.
The estimate of those affected was originally 267 million. However in March 2020, it was discovered that a second server containing an additional 42 million records was exposed by the same criminal group, which brought the total up to 309 million. Again, it is unknown if anyone was affected by this breach, but it certainly exposed users to spam and phishing.
2019: 533 millions users in April (Contact importer tool weakness)
The stolen data first surfaced on a hacking community in June 2020 when a member began selling the Facebook data to other members. What made this leak stand out was that it contained member information that can be scraped from public profiles and private mobile numbers associated with the accounts.
The sold data included 533,313,128 Facebook users, with information such as a member’s mobile number, Facebook ID, name, gender, location, relationship status, occupation, date of birth, and email addresses.
2019: 1.5 million users again in April (contacts harvesting without consent)
Going back to May 2016, Facebook had been harvesting the email contacts of 1.5 million new users when they opened their accounts. It is not surprising that the company did this without the consent or knowledge of its users. So how did this happen?
During the registration process, Facebook was asking new users to verify their email address by entering in their email password, a move that is widely condemned by security experts. Once the password for the email address was entered, its email contacts were automatically imported. Facebook did not ask permission to do this and there was no way to stop or cancel the process while it was happening.
Facebook would then use the collected data to improve ad performance, make friend recommendations and help grow Facebook’s network of connections. Facebook said it was not able to see the content of emails, but being able to see who you are communicating with is still a pretty big privacy violation. With 1.5 million connected email address books, Facebook now had the contact information of millions more people.
The company said it would delete the email contact lists, and that no one outside of Facebook had access to the data.
2019: 540 million users in April (Cultura Colectiva exposure in Mexico)
The spring of 2019 was not a good time for Facebook. In April, it was discovered that hundreds of millions of Facebook user records were sitting on a public server. Oops. Researchers at the security firm UpGuard discovered the breach, and reached out to the Mexican company hosting the server, Cultura Colectiva, multiple times before the server was finally secured months later.
A similar data set was also found for an app called “At the Pool.” While smaller, the latter included especially personal information, including 22,000 passwords apparently used for the app, rather than directly for Facebook.
It’s unknown exactly how long user records were exposed for, or if anyone managed to take advantage of the situation. The data was only made private after Facebook became aware of the situation. Although Facebook isn’t directly responsible for this breach, it certainly added fuel to the growing fire.
2019: 600 million users in March (Unencrypted password storage)
Facebook’s first data breach of 2019 was a big one. In March, cybersecurity expert Brian Krebs reported that Facebook was storing hundred of millions of user passwords in plaintext files. Only employees could access these files, but that still means that account passwords were available to more than 2,000 Facebook employees. In some cases, the files went back as far as 2012. Facebook didn’t divulge why or how user passwords had been stored in such a way.
A month later, it was revealed that millions of Instagram users had been affected as well; their passwords had also been stored in clear text. Facebook reiterated that the passwords had not been compromised or used inappropriately in any way. The total number of affected Facebook and Instagram users is still unknown (Facebook declined to comment), but is estimated to be at least 600 million, though the actual number is likely much higher.
2018: 90 million users in Sept (Hacked data)
Not too long after the Cambridge Analytica scandal, Facebook experienced its second data breach. In September 2018, it was publicly announced that attackers had managed to gain access to somewhere up to 90 million user accounts. The attackers could see everything on a user’s profile. Facebook also confirmed that third-party sites that those users logged into with their Facebook accounts could also be affected.
Facebook began investigating a few weeks before the announcement, when it noticed unusual spikes in access to user accounts. The situation turned out to be very complex and was based on three separate platform bugs related to a Facebook feature that allows people to see what their profile looks like to another person. The “View as” feature allows users to see what their privacy settings look like to another person.
The first bug in the system caused Facebook’s video upload tool to appear on the “View As” page. The second bug caused the video uploader to create an access token (which allows you to stay logged into your Facebook account on a device without having to log in every time) that gave attackers the same login credentials as the Facebook mobile app. Finally, when the video downloader appeared in “View as” mode, it provided a passcode to the person the attacker was after. The vulnerability on the site would have been in existence since July 2017.
In response, Facebook logged out 90 million users across all platforms and asked them to log back in and reset their passwords. The “View as” feature was temporarily disabled. Mark Zuckerberg also announced that Facebook would be working with the FBI to investigate the breach.
2018: 87 million users in April (Cambridge Analytica)
Media reports alleged a UK-based researcher collected the data from Facebook users when just 270,000 users downloaded a psychology quiz app that requested access to their personal data. The New York Times and the Observer reported in March that as many as 50 million Facebook users had their data improperly shared.
Facebook says the number of users affected by Cambridge Analytica data leak is 87 million.
The firm harvested private information from the Facebook users profiles without their permission, according to former Cambridge employees, associates and documents, making it one of the largest data leaks in the social network’s history. The breach allowed the company to exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.
2018: 14 million users in May (private posts publicly published)
If you’ve ever used Facebook, you know that there are different privacy settings for your posts and your profile. You can choose to share what you post with a specific list of people, your Facebook friends or the world. However, a glitch in the system in May 2018 caused the normally private posts of 14 million users to be shared publicly without their knowledge or consent.
The bug was only active for five days, and Facebook quickly returned all posts to their normal (i.e., non-public) privacy settings. Nevertheless, during those few days, these posts were made public, and users’ privacy was completely exposed.
2013: 6 million users (private info available without authorisation)
In June 2013, Facebook discovered a bug had been exposing the personal data of 6 million users to unauthorized viewers for over a year. User phone numbers and email addresses were exposed, and anyone who knew at least one piece of contact information or who had some type of connection to the person could access the data.
The technical glitch reportedly began in 2012 but was not noticed until 2013. Facebook fixed the bug and apparently reported the breach to regulators and those affected by the breach before announcing it publicly. While not the biggest breach of the year, it marked the beginning of Facebook’s data problems.
What is clear from this list is that your data is not safe on Facebook. More than 1 billion user records were leaked.
You should either delete your Facebook account or at least delete any information that could harm you. Don’t share anything that you don’t want to be publicly available.
Check our advices on how to protect against recurrent massive social network data leaks.
Report a new facebook data leak
We forgot to report one data leak ? Add it in the comment.