Facebook has suffered from another data breach. In all, 533 million accounts have been compromised as a result of the latest breach.
The security of Facebook is once again in the spotlight. This time, it’s not how Facebook would like its security to be in the spotlight. A database containing the personal information of 533 million users has reportedly been circulating privately since January. Only recently did security researchers pick up on this.
From Engadget:
About 32 million of the users are in the US, while 11 million are from the UK and another 6 million come from India.
Gal first spotted the data in January, when Telegram users could pay to search the database. The intruders reportedly took advantage of a flaw that Facebook fixed in August 2019 and reportedly includes information from before that fix. You might not be in trouble if you’re a relative newcomer or have changed key details in the time since the fix, but the breach still leaves many people vulnerable.
As Gal noted, Facebook can only do so much when the data is already in circulation and the related flaw is no longer an issue. The social network could notify affected users, though, and there’s pressure on the company to alert affected users so they can watch for possible spam calls and fraud.
The researcher was apparently frustrated that Facebook has yet to acknowledge that a breach even took place. As such, users haven’t been notified as a result. The whole database is now floating around the web for free at this stage (whereas, before, it was under a pay to access state on Telegram).
We are learning that Facebook has finally acknowledged that the breach took place, but simply brushed it off as an “old” breach. From Global:
Facebook acknowledged the news in an emailed statement Saturday afternoon, but said the data was obtained during a breach in 2019.
“This is old data that was previously reported on in 2019,” a Facebook spokesperson said. “We found and fixed this issue in August 2019.”
The report goes on to note that about 3,494,385 Canadians are also affected by this breach.
This is far from the first security incident Facebook has suffered from. In December of 2019, Facebook suffered from a different leak that saw an estimated 267 million accounts compromised. Before that, in September of 2019, Facebook suffered from a leak that affected 419 million accounts. In September of 2018, Facebook was separately hacked and an estimated 50 million accounts were compromised.
AS for repercussions, Facebook has been hit with fines over misuse of personal information. The big one most people will remember would by the $5 billion fine from the FTC back in 2019. In the same year, the country of Turkey slapped Facebook with a $270,000 fine. In 2020, Brazil slapped a $1.6 million fine on Facebook. In 2020, the Australian Information Commissioner filed a lawsuit against Facebook as well. All of that was over the Cambridge Analytica data mining scandal.
In another report, Facebook was theoretically facing a $1.62 billion fine over the 50 million user hack. So, this latest incident isn’t exactly uncharted territory for the platform.
While it’s bad that Facebook did suffer from yet another security incident, the worst part about it is what Facebook chose to do after. Ideally, you want to inform affected users and give them a chance to change their passwords and other security features. This is to help ensure that their information is at least as safe as you can get at that stage. Judging by the reports, that isn’t what happened. In fact, Facebook chose to try and stay mum about the incident, perhaps in the hopes that all of this will blow over and no one would find out about it. From both a security and legal liability standpoint, that is about the worst way a company can handle it. This especially in light of the GDPR laws in Europe. Had Facebook chose to be forthcoming about it, the platform would have been in a better position today.
At this stage, the only good news for Facebook is that they won’t be facing any real consequence for their actions in Canada. The worst thing that can happen is that they get an exercise in PR with a strongly worded letter and that’s it. Back in 2020, it started to look like Canada was in the process of actually taking some responsibility with the safety of their citizens by introducing badly needed privacy laws, but those laws have only stalled since then with the Innovation Minister blaming the opposition for the stalled legislation.
As a result of government negligence on top of that, if Canadians phone numbers wind up on spam lists and their bank accounts get cleaned out by credential stuffers, oh well. No one is going to get held accountable for how that came to be. As such, Canada is a bit of a wild west on that front where anything goes. The bad news for Facebook is that this is only one country that chose not to give a flying expletive about their citizens personal information.
For most countries around the world, Facebook can be fined if they are found to have been negligent about people’s personal information. The only debate there is whether or not the fines are suitable for how big the breach is. Since Facebook is a multi-billion dollar company, sometimes, the fines are so low, all Facebook has to do is rummage through the lunch room couch for loose change to pay the fine. Other times, the fines can be a minor inconvenience for the companies accounting department. So, understandably, a big source of debate is how to properly hold large tech giants accountable for when they lose control over their users personal information.
Then there is the PR front in all of this for Facebook. We are already seeing several aspects of this working against Facebook. First of all, another incident has occurred. Second of all, Facebook reportedly tried to ignore the incident rather than notify affected users. Third, when it was publicly brought to the attention of Facebook, Facebook chose to ignore it. Fourth, when the media came asking, the best Facebook could pull off was simply to brush it all off and dismiss it all as “old” data. On what planet is that even close to being good enough?
If I had any decision making permissions at Facebook, I would ask the technical team to run a database query looking for users who haven’t changed their passwords since 2000. Flag all those users who are active that fall in that category and require a password change. For inactive users, flag those accounts and if those accounts become active again, require a password change. That alone would go a long way into rectifying the situation. From there, the PR team will have it easy by simply saying that affected users have been notified and corrective measures have been put in place for those affected. Could more be done? Probably. Still, what I described would be a whole lot better than what actions were actually reportedly taken.
What will be interesting to see is what will happen moving forward in all of this. It can be touch and go with Facebook breaches and leaks. Still, one hopes that something will be done to mitigate the damage of this latest incident.
Drew Wilson on Twitter: @icecube85 and Facebook.