Social media giant says ‘scraping’ was cause of issue that affected 500 million users

A security researcher claims Facebook knew about a data leak vulnerability two years before it was patched

As Facebook defends its actions over a massive data leak, one researcher says he notified the company of the issue a full two years before the problem was fixed.

Last week, Business Insider revealed that the personal data of more than 500 million Facebook users had been posted in a low-level hacking forum where phone numbers were being offered for sale.

Facebook has defended itself in a lengthy blog post, pointing out that the data was obtained by scraping, rather than hacking.

Read more of the latest social media security news

“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019.

“This feature was designed to help people easily find their friends to connect with on our services using their contact lists,” wrote product management director Mike Clark.

“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer.

“In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users.”

In the public eye

Ethical hacker Inti De Ceukelaire says he reported the vulnerability to Facebook back in January 2017, after using the technique to discover the private phone numbers of several Belgian celebrities and politicians.

Facebook had said that the issue wasn’t a breach of privacy as the users concerned had set the ‘Who can look me up’ setting to ‘Public’. This, the company said, meant that no user information was exposed that wasn’t already public.

However, as De Ceukelaire points out, ‘Public’ was the default setting – and even when the phone number was set to ‘only me’, it was overridden to revert to ‘Public’.

“I respectfully disagreed with the company’s response back then. It seemed like a business decision. However, I had trouble with the fact that many people were not aware that even though their phone number was set to private, they could still be looked up by their phone number by default,” De Ceukalaire told The Daily Swig.

“There was not even an option to set the ‘Who can look me up’ feature to private in 2017 – they only added that later.”

‘Establishing the full facts’

Facebook may or may not be off the hook as far as GDPR is concerned, with the Irish Data Protection Commission, which oversees the Dublin-headquartered company, saying it is looking into the matter.

“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” it said in a statement.

“The newly published dataset seems to comprise the original 2018 (pre GDPR) dataset and combined with additional records, which may be from a later period. The DPC attempted over the weekend to establish the full facts and is continuing to do so.”

De Ceukelaire suggests that Facebook is attempting to fudge the issue.

“It seems like most of their effort now goes into downplaying the breach, moving the discussion to terminology instead of the real issue and making sure they don’t issue an apology of any kind as it can be seen as an acknowledgement of responsibility for regulators,” he says.

The Daily Swig has reached out to Facebook for comment and will update this story accordingly.

YOU MAY ALSO LIKE Enter the Matrix: Secure communications network hits 30 million user milestone