A set of files with 533 million cell phone numbers was released for free this weekend. Facebook confirms that it is the source of this leak, but want to make it clear – for some reason – which was not the victim of an invasion. In fact, this was not necessary, because the social network exposed its users’ data in a resource to import contacts.
“It is important to understand that malicious agents obtained this data not through hackers on our systems, but by scraping our platform before September 2019,” explains Facebook.
Scraping, or scraping, is an automated way to collect data available on the internet. This was used with a Facebook tool that made it possible to find friends on the social network through their cell phone numbers.
In 2019, the company found that this was being used to extract data. So it prevented malicious agents from trying to imitate the contact importer by uploading multiple phone numbers to see which ones had a Facebook profile – even CEO Mark Zuckerberg was affected.
“We are confident that the specific problem that allowed them to extract this data in 2019 no longer exists,” says the company. The leak does not include financial, health or password information.
The data was apparently collected until August 2019; GDPR was already in effect in Europe since May 2018 and establishes a fine of 2% of annual revenue for companies that do not report leaks. For its part, the LGPD (General Law for the Protection of Personal Data) only began to take effect in September 2020.
The incident is being investigated in the European Union and Russia; in addition, Procon-SP wants to know more details, since 8 million Brazilians were affected.
Facebook leak remains available on the internet
Facebook ends the statement with two tips for users:
- in the privacy settings, go to “Privacy” and adjust who can search for you using the email address or phone number in your profile – there are the options “only me”, “friends”, “friends of friends” and “all”;
- do the Privacy Check to decide who can see certain information in your profile, and to enable two-factor authentication.
A specific excerpt from that communique irritated security experts: “collecting data using resources designed to help people violates our terms”.