WTF?! To be clear: The database containing the personal information of half a billion Facebook users is not just a treasure trove for telemarketers and telephone spammers. Information like birthdates, marital status, hometowns, and other places lived are a social engineer’s bread and butter. Regardless of whether the data was already available publicly, having it listed in a convenient database and released to the public is no small matter.
Earlier this week, a security researcher discovered that Facebook leaked the data of 533 million users. Personal information in the breach included phone numbers, Facebook IDs, full names, hometowns, places lived, birthdates, email addresses, relationship status, and more. So this was not just a minor leak that can be swept under the rug.
Despite the breach’s severity, Facebook told Reuters that it has no plans to inform affected users. The spokesperson reasons that the company is not “confident” it could identify which users were affected and that “the data was [already] publicly available.” Additionally, the spokesperson said that the data was “scraped” before September 2019 using a contact-syncing vulnerability it was already patched long ago. It is worth noting that it did not notify users at the time of that security concern either.
Over the last year, I have asked Facebook more than a dozen times if it will take legal action against Clearview AI for scraping what is likely millions of photos from Instagram and Facebook. No lawsuits have been filed and FB has said nothing on record.https://t.co/htkKCD5bT0
— Ryan Mac🙃 (@RMac18) April 7, 2021
As BuzzFeed’s Ryan Mac pointed out in a tweet (above), Facebook said that the 2019 scraping of data goes against its terms of service, yet it has done nothing about Clearview AI scraping millions of photos from Facebook and Instagram. Other than “demanding” the face recognition company stop scraping its data, Facebook has not sought more aggressive action to stop it. Mac claims this is because Facebook board member Peter Thiel is a Clearview investor.
Despite all of that, there are ways to check if your data was involved in the breach without Facebook’s help. The database is publicly available through torrent sites, and several websites on the internet can perform searches to see if your data has ever been leaked. However, use caution with sites that ask for personal information to perform a search. Have I Been Pwned is one of the more reliable data leak search engines. I have used it without consequence on several occasions.
The news of the stolen information, and Facebook’s lack of concern about it, should not come as a surprise. The company has a long history of data misuse and abuse. Ironically, 2019—the year Facebook claims to have patched the vulnerability—was the same year it vowed a “privacy-focused” future. Given the circumstances, one has to question whether it meant user privacy or corporate privacy?
Image credit: mundissima