Facebook failed to notify more than 530 million users impacted by a data security breach in which personal account data was leaked online.
The monumental security breach, which occurred prior to September 2019, used software that scraped user data from the platform by taking advantage of a now-fixed flaw.
Phone numbers and other details from user profiles were made available in a public database by the hackers over the recent Easter weekend, although financial information, health information or passwords were not included.
A Facebook spokesman has since said that the firm is not confident that it could tell which users would need to be notified.
On Tuesday, Ireland’s Data Protection Commission, the European Union’s lead regulator for Facebook, said it had contacted the company about the data leak but received “no proactive communication”.
The social network did not offer any apology for the incident, although it has opened up in a blog post about why it occurred.
Mike Clark, Facebook’s product management director, said his firm believed the data was scraped using its contact importer, a feature designed to help people find their friends.
“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer,” he said. “In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users.
“Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles.”
Social media expert and industry commentator Matt Navarra said Facebook’s response failed to show enough empathy to those affected by the breach. Speaking to the PA news agency, Navarra said: “Facebook’s explanation of it being data scraping, not hacking, is only part of the story here. It’s also about the way Facebook communicates. Its tone and demeanour fail to strike the right tone with the victims of the incident.
“Over 500 million users’ account details are being exploited due to vulnerabilities in Facebook’s systems. That’s 500 million users who want Facebook to show some level of empathy, regret and who want an apology. Facebook’s response feels cold, clinical, defensive and argumentative. Almost like it is trying to play down the scale of the incident.
“Starting with ‘We’re sorry’ would have been a good opener. For a business that’s all about friendships and connections, Facebook has yet again made more enemies instead.”
The website Have I Been Pwned?, which lets people check whether their data has been leaked online, has now added the Facebook dataset to its collection, including user phone numbers for the first time. The site notes that this dataset is comprised of at least 509,458,528 affected Facebook accounts.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.