"Not hacked": Facebook logo
Photo: Dado Ruvic / REUTERS
One would think that Facebook has had enough practice in crisis PR by now.
But when it became known last weekend that someone had published a data set on more than 530 million Facebook users in a hacker forum, the company's first reaction was irritatingly tight-lipped.
It was about the cell phone numbers of no less than half a billion people, millions of email addresses, Facebook IDs, full names, places of residence and dates of birth.
But Facebook spokeswoman Liz Bourgeois only wrote: “This is old data that was reported in 2019.
We found and fixed the problem in August 2019 «- and only on Twitter.
Nothing further came from the company until Tuesday evening, despite several media inquiries.
The blog post then published still does not answer all of the questions.
Instead, Facebook is clearly trying to downplay the incident and shift responsibility for it.
The arguments of the group are:
It is "important to understand" that Facebook was not hacked, but that someone copied the data from the platform by scraping, that is, through automated, mass retrieval of data that was in principle publicly available.
There were media reports about this in 2019.
The user data contained "no financial information, health information or passwords".
Even if Facebook addressed the problem identified in 2019, it is "always good for everyone" to ensure that your own Facebook profile settings match what you want to share publicly.
As if it makes a difference for those affected whether their data was collected through an illegal or a legal process against their will.
As if the problem with media reports had been resolved two years ago and as if nobody had the same cell phone number as in 2019. As if it were an achievement by Facebook not to have lost control of any financial data, health data and passwords from but that no one had spoken to here.
And as if the whole matter was now a problem for those affected, but not one of Facebook.
What incident is Facebook talking about?
In addition, the company has not yet been able to explain when exactly the data was actually copied from the platform.
On the contrary, Facebook causes even more confusion: "We believe that the data in question was scraped out of Facebook profiles by malicious actors before September 2019," says the blog post.
At the same time, Facebook links to a "CNET" article from 2019, which describes a data leak that Facebook estimated at the time to affect 220 million people.
However, it was not “CNET” that revealed it, but “TechCrunch”, and its author had told Facebook at the time that the case concerned “old data”, so it must come from 2018 or before.
Facebook data leak
Expand What happened?
Unknown published a large amount of Facebook user data from a previous data leak in a hacker forum.
It includes around 533 million mobile phone numbers and 2.5 million e-mail addresses.
When and how the data got into the hands of the perpetrators, Facebook has not yet been able to explain exactly.
It is therefore also unclear to what extent the data record contains mobile phone numbers that have never been published on Facebook by those affected.
Expand Who is affected? Area
The dataset contains the data of 32 million US-Americans, eleven million British and six million users from India.
According to its own information, Facebook is still investigating how many Germans are among those affected.
According to the IT security company Avast, there are also six million.
At haveibeenpwned.com you can enter your mobile phone number and see whether it is included in the leaked record.
The developers of the Dashlane password manager offer a breach center at this link, where you can check whether your own email address has been compromised in the Facebook leak or another data leak.
Expand What should those affected do?
Anyone who has not changed their mobile phone number after 2018 or 2019 could now receive more fraudulent or spam SMS, or corresponding emails.
It is important not to click on the links contained therein and not to answer questions asked for further data.
Banks and other companies would never ask for access or other data just like that and by SMS or e-mail.
Something doesn't fit together here.
Are the masses of data now published the loot from an incident in 2019 or 2018?
One that was significantly bigger than Facebok was willing to admit at the time, or one that Facebook had never admitted to before?
This is not really clear so far, not even the Irish data protection authority DPC, which is responsible for European users.
As »Politico« reports, it is also trying to understand the case and has not received any proactive communication from Facebook until yesterday.
For the DPC, the details are important, because if the user data was tapped when the General Data Protection Regulation (GDPR) was already in force, i.e. after May 25, 2018, Facebook would have had a reporting obligation.
The company also has no plans to contact those affected individually. One could "not see with complete certainty who should be informed," it is said to justify. In Facebook's very own logic, it obviously follows that in such a case it is better to throw smoke candles. You'd think Facebook knew by now that it couldn't get away with it.