Facebook says the leak of 533 million users' data online wasn't a hack - but its explanation of what happened doesn't quite add up
- Insider reported last week that
datafor 533 million
- Facebook on Tuesday said the data was "scraped" sometime before September 2019.
- Its explanation for what happened doesn't quite make sense.
Facebook wants you to know that the
Facebook published a blog post on Tuesday explaining why it had not disclosed the apparent
Facebook said the data had not been obtained by hacking into its systems. Instead, it said it had been scraped off the platform at some point before September 2019.
"Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this," the Facebook product-management director Mike Clark wrote in the blog post.
Clark said the method used to obtain the data exploited a vulnerability in Facebook's contact importer, a tool that allows users to find the Facebook profiles of people using phone numbers. Facebook says that it fixed that particular vulnerability in August 2019 and that it was previously reported on.
This would mean it was not a new breach and the company therefore wasn't obliged to notify anyone about it.
As reported by Wired's Lily Hay Newman, however, Facebook's timeline doesn't quite make sense.
Facebook's post links to a September 2019 CNET article as an example of previous reporting on the data leak. CNET's article refers back to a September 2019 article from TechCrunch, which details a server containing the data of 419 million Facebook users being exposed online.
A Facebook representative told TechCrunch in 2019: "This data set is old and appears to have information obtained before we made changes last year" - 2018 - "to remove people's ability to find others using their phone numbers."
Given that Facebook has said the vulnerability for the most recent data breach was plugged in August 2019, this would suggest the dataset mentioned by the CNET and TechCrunch articles is different from the one Insider reported last week.
Newman also reported there were observable differences in the two datasets, such as in the proportion of users from various countries.
The company did not immediately respond to Insider when asked to clarify.
Facebook must be precise in its statements about exactly what data was leaked and when, or else it could draw the ire of regulators.
Facebook reached a settlement with the US Federal Trade Commission in July 2019, which requires it to report security breaches to the agency.
Ireland's Data Protection Commission on Tuesday announced it was looking into the dataset and whether it contained leaked data that wasn't previously reported.
According to the DPC, Facebook said the recent data set could have been cobbled together from older breaches. "The data at issue appears to have been collated by third parties and potentially stems from multiple sources," Facebook said.
- A massive study from Israel suggests older adults were far less likely to develop severe COVID-19 after a booster shot, but the finding carries major limitations
- Everything you need to know about iOS 15: Release date, new features, supported devices
- Watch SpaceX launch 4 space tourists into Earth's orbit
- ENO's latest campaign for rural India reaches 35 million viewers through Facebook and Jio's KaiOS
- Insider trading, IP theft, fake art and fake profiles — Scammers are taking advantage of NFT platforms’ lack of regulation
- Paras Defence and Space Technologies IPO to open on September 21
- Ajay Devgn performs his iconic stunt for Mahindra FURIO 7 range
- Sensex tops 59,000 mark, Telecom stocks soar