SA TIMES NEWS reported last week that data for 533 million Facebook users was published on a hacking forum.
Facebook said Tuesday the data was “scraped” sometime before September 2019.
The explanation it gave for what happened doesn’t quite make sense.
Facebook wants you to know that the leak of 533 million users’ data on an online hacking
forum wasn’t a hack – or at least not a new one.
SA TIMES NEWS reported on Saturday that 533 million Facebook users’ personal details,
including their names, email addresses, and phone numbers, had been posted to a low-level hacking forum.
Facebook posted a blog on Tuesday explaining why it had not disclosed the apparent breach.
Facebook said the data had not been obtained by hacking into its systems.
Instead, it had been scraped off the platform at some point before September 2019.
“Scraping is a common tactic that often relies on automated software to lift public
information from the internet that can end up being distributed in online forums like this,”
Facebook product management director Mike Clark wrote in the blog.
Clark said the method used to obtain these data exploited a vulnerability in Facebook’s
contact importer, a tool that allows users to find the Facebook profiles of people in their
phone contacts. Facebook says it fixed that particular vulnerability in August 2019, and
that it was previously reported on.
This would mean it wasn’t obliged to notify anyone about a new breach.
However, as reported by Wired’s Lily Hay Newman, Facebook’s timeline doesn’t quite make sense.
Facebook’s post links to a September 2019 CNET article as an example of previous
reporting on the data leak. CNET’s article refers back to a September 2019 article
from TechCrunch, which details a server containing the data of 419 million Facebook users
being exposed online.
A Facebook spokesperson told TechCrunch in 2019: “This data set is old and appears to have information obtained before we made changes last year  to remove people’s ability to find others using their phone numbers.”
Given that Facebook has said the vulnerability for the most recent data breach was only plugged in August 2019, this would suggest the dataset mentioned by the CNET and TechCrunch articles is different to the one Insider reported last week.
Newman also reported there are observable differences in the two datasets, for example in the proportion of users from different countries.
The company did not immediately respond to Insider when asked to clarify.
Facebook must be precise in its statements about exactly what data was leaked and when, or else it could draw the ire of regulators.
Facebook reached a settlement with the FTC in July 2019, which requires it to report security breaches to the agency.
Ireland’s Data Protection Commission (DPC) announced Tuesday it was looking into the data set, and whether it contained leaked data that wasn’t previously reported.
According to the DPC, Facebook said the recent data set could have been cobbled together from older breaches. “The data at issue appears to have been collated by third parties and potentially stems from multiple sources,” Facebook said.