Facebook does not plan to notify half-billion users affected by data leak (opens in new tab)

(reuters.com)

346 pointschallengly4y ago93 comments

93 comments

So after longing it out, today I had a look on haveibeenpwned, and it seems I am one of those whose data has leaked.

After re-reading all of the events of this breach, it seems that the exploit was fixed in Aug 2019 (as claimed by Facebook). I had deleted my account some 2 years prior to that.

Either these attackers have had access for over 2 years, or Facebook has not deleted my data, and likely everyone else's data either.

What can an individual, or perhaps everyone affected, do in this scenario?

nuclear_eclipse4y ago

Assuming that the data is just your phone number and name/email, is it not possible that this is just from friends who have allowed Facebook and/or Messenger to share contact info? Your original account data almost certainly would have been deleted/purged due to various regulatory requirements, but that doesn't necessarily stop your contact info from being shared again and making its way back into the system.

sorokod4y ago

But then again, Occam's razor would suggest that FB never deleted the data in the first place.

By the way, data is not "making its way back" like some sort of salmon trying to get back to the source, it is forcefully harvested by FB.

1 more reply

pieter_mj4y ago

Check out the following twitter thread : https://twitter.com/carolecadwalla/status/137983433288654029...

Renowned hacker Inti De Ceukelaire informed facebook of this breach in 2017, but FB just sat on it for a year and did nothing, ultimately claiming it was scraped from publicly available data at the time.

So while we do not know and can only assume deleted data is merely indicated by a flag and not really deleted, this exploit does not include data from closed/deleted accounts.

FB doesn't allow user access to/control of/deletion of shadow account data, which is in violation of the GDPR.

eloff4y ago

My phone number is in haveibeenpowned. Maybe it's from another leak? I deleted my Facebook account years ago and it doesn't have my new number. WhatsApp does.

bassdropvroom4y ago

I only recently deleted my WhatsApp, so could very well be. Though, according to HIBP it's from the same leak that has recently become known, but who knows.

1 more reply

HNfriend2344y ago

haveibeenpwned pulls from multiple data leaks. So it is likely your data was leaked somewhere else and the company that got hacked simply never reported it. Happens all the time. Once your data has been leaked. There is nothing you can do about it. Your information will simply just float out there in the internet ether forever.

This is why it is so important for everyone to go pseudonymous online especially if you are doing ANYTHING that can be remotely viewed as controversial, like political speech. The reality is whether you like it or not, your personal information will be leaked.

I know these days everyone wants to be a social activist on social media today but just don't do it. It is not worth it if some nut job decides to go after you for whatever reason. It is very easy these days to find where people live, work, phone numbers etc by simply knowing their first name, last name and general location of where they live. Most people openly disclose this information.

marshmallow_124y ago

i will automatically give less credence to an anonymous person. They are giving me nothing of themselves, so they expect nothing, and feel no obligation to present the truth. On the flipside, being anonymous, i don't take myself seriously enough. Yes, this has regrettably made me come close to trolling, i've worked on it, but i'm still not close to being fully genuine and i know that.

amacalac4y ago

Yeah, can you imagine them having to tell Zuck his number got leaked. He's gonna be furious!

Source: https://www.androidauthority.com/mark-zuckerberg-signal-1215...

imoverclocked4y ago

I guess his users can now call him directly to air grievances over data leaks.

Johnny5554y ago

Aren't they required to disclose this, at least to California residents, under California's data breach disclosure laws? Or was it not the type of PII covered under the law?

bostonsre4y ago

"Facebook, which has long been under scrutiny over how it handles user privacy, in 2019 reached a landmark settlement with the U.S. Federal Trade Commission over its investigation into allegations the company misused user data. [...]

The July 2019 FTC settlement requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident."

Seems like it.

nolok4y ago

In EU law too. Booking.com just got convicted half a million just for notifying TOO LATE (two weeks after the fact).

I assume they expect to claim it's not a fb leak in some convoluted way, otherwise I don't understand that move.

Oh wait, weren't there also shadow numbers in this ? Aka you had my number you uploaded it so it's in the leak even though I had no relation to them ? Might be why, they have no right to contact me to warn me

pmlnr4y ago

Yeah, but the b.com leak involved credit card data which changes everything in the eyes of regulators. Sadly this is not true for "mundane" data like phone numbers, email addresses, or even physical addresses.

1 more reply

dpifke4y ago

All 50 states have some form of data breach notification law, not just California: https://www.ncsl.org/research/telecommunications-and-informa...

sxp4y ago

Does the law apply here? https://about.fb.com/news/2021/04/facts-on-news-reports-abou... says the breach was in 2019. What was the CA law at that time?

t0mas884y ago

They are absolutely required to report this to the data protection agencies in all European countries. As the other comment mentioned, missing the 72 hour deadline on this is enough to get a fine as Booking.com did.

I'm curious to see the total in GDPR fines from this for Facebook. Will probably take a year or two before we know.

nerbert4y ago

At this point they must be like a deer in front of the flashlights, hoping the car will dodge them.

1 more reply

challenglyOP4y ago

GDPR is a gift to large corporations. Regulatory capture in return for a slap on the wrist. It also burdens startup competition and trains people to click "Allow Cookies" and "Accept the Terms of Service" as fast as possible.

3 more replies

newswasboring4y ago

Not happening because at best FTC can fine them. That is just cost of business to them these days. Its part of their move fast and break things philosophy.

smsm424y ago

Too big to follow laws?

iso16314y ago

Facebook today closed at a record high of 309, up from 299, on the first trading day after this leak hit the press. It has since increased to a higher record high (currently 312 with 10 minutes left)

1-64y ago

Wall Street fueled by Jim Cramer's FAANG doesn't care about consumer privacy.

Cookingboy4y ago

Because Wall Street realizes even consumers don't care about consumer privacy.

If Ashley Madison and Equifax walked away with barely a scratch from their catastrophic breaches, then this is almost nothing in comparison.

3 more replies

blackearl4y ago

Wasn't this leak already 2 years old? Just because the media decided to pump it up this week doesn't mean it just happened.

I've also yet to see anything real come of these kinds of leaks.

omnimike4y ago

Give that the data leak is 2+ years old I’m wondering why it’s getting so much attention in the media right now, just as FB hits record highs. The cynic inside me suspects that this is actually a ploy to manipulate the stock price, though I can’t tell who would benefit from it.

iso16314y ago

Because the data is now widely available to anyone and his dog

grenoire4y ago

Priced in, as usual (not even meme-ing).

m12k4y ago

What's the maximum fine under GDPR? It's some percentage of global revenue, right?

pilsetnieks4y ago

paulpan4y ago

As others noted in the other thread (https://news.ycombinator.com/item?id=26736285), the correct action here would be a punitive fine by FTC or FCC for 1) the size of the leak and 2) that FB is refusing to notify impacted users.

Something to the tune of $30-50B, to also send a clear message to all other companies. In this case, FB appears to have sat idle since previous $5B fine for the Cambridge Analytica fiasco. So 10X that previous fine would seem appropriate.

Long term, holding the leaders and board of companies criminally liable for user PII and data leaks (similar to SOX compliance) might be the best solution. The reality, however, is that no such regulation will occur and companies like FB can continue to lackadaisically treat user privacy and data security.

adamsvystun4y ago

This is disappointing. Admitting the mistake is crucial in the process of fixing the problem. This just shows that they have learned little after all the company has been through.

dylan6044y ago

>This just shows that they have learned little after all the company has been through.

This is just yet another example of that. It's not like we didn't realize they don't care until this instance. It's hard wired in the DNA, and this is just more evidence of that.

1 more reply

smsm424y ago

That implies they see it as a problem that needs to be fixed. But what if they don't care? After all, their business is collecting and selling these data. It being copied by somebody looks bad, but advertisers probably won't do downloading user lists on darknet, so the damage to the main business is minimal. And people still on Facebook don't seem to be willing to punish Facebook for violating their privacy, so...

MattGaiser4y ago

Admitting the mistake, not admitting the mistake publicly.

sigmonsays4y ago

how is this acceptable?

i'm glad I quit facebook long ago but this angers me for the people who dont stay up to date on security breaches.

bhaavan4y ago

Well this breach is an old breach from 2019. People should stay up to date with security breaches.

ce44y ago

Wasnt there some hints that parts of the leaked PII are more recent?

1 more reply

dylan6044y ago

why would we need to? it's all of the news, so the people have been notified. --Facebook

woudsma4y ago

And they apparently also didn't plan on deleting my PII (phone number was in the leak), even after I permanently deleted my account at FB over 3 years ago.

I thought I had the 'right to be forgotten' because of the GDPR, as I'm a European citizen. Has there been any real enforcement of these laws aside from the relatively small fine here and there?

I've been blocking FB actively for the last few years, I can't even visit FB because of my /etc/hosts file setup. It seems quite impossible to get back some privacy online even though I try and take measures. Use Duckduckgo, Brave browser, VPN, no social media, etc. I was a happy person when GDPR first came through.

t0mas884y ago

If you're in Europe you can file a complaint with your local data protection agency. They will definitely already have some investigation on Facebook so this just adds more to it.

smcl4y ago

Here is how you find that, by the way: https://edpb.europa.eu/about-edpb/board/members_en

varispeed4y ago

I think after such data leak, it should be possible to ask company who enabled the leak, to put the matters as they were before the leak - that is buying you a new phone number, setting up a new name, new address and whatever else that was leaked. The new address should be in comparable standard to the old one.

aminozuur4y ago

The data was scraped years ago and just released now. Only the things you shared publicly already, such as your first and last name on Facebook, were "leaked", except for a few private phone numbers.

woudsma4y ago

I've never had public profile information. Only visible for friends (and my phone number wasn't even visible there). How would my private phone number get into that dataset? That would suggest that they have more than just public data.

1 more reply

anonu4y ago

If you use the internet your name and phone number is going to be out there eventually. There's not much you can do. Not saying things can't be better. But at this point in time, your name and number should be assumed not to be private.

hetspookjee4y ago

So it wasn't too long ago that the news got head of the Facebook "Supreme Court" that is supposedly even above mr Zuckerberg. I wonder what would happen if you'd appeal to them about this blatant disregard of sovereign laws worldwide. I don't know a single country that does not have some law in place forcing the leaker to notify the user. Obviously barrely any country does it, and if so, Booking just got a laughable 400k fine in the Netherlands for not notifying in time (though they eventually did just too late). I'm sure Facebook will get away with it. One thing I've learned s that theirs barrely a better time to buy big tech stock when they've announced a data leak. Though others seem to have caught on with that sentiment as the stock has been rising.

varispeed4y ago

Even if a country decided about doing something about it, would they risk Facebook blocking that country altogether? Facebook has so much money, pretty much any fine will be just a slap on the wrist. What else they can do without causing public to go mad? Capture Mark and make him do time?

mrweasel4y ago

Won't that get them in trouble in the EU? I had to check, but the GDPR was implemented in 2018, and the leak was in 2019.

benja1234y ago

It’s not clear which leak the data is from. From the articles I read there were two leaks that the data may have come from. One in 2018 and one in 2019.

drusepth4y ago

In either case, it seems like they would have notified users (if at all) when they were alerted to the leak and fixed the vulnerability.. not 2-3 years later.

2pEXgD0fZ5cF4y ago

You can count on the people at Facebook to do the wrong thing

erellsworth4y ago

Doesn't this mean they will get fined out the arse by Europe under the GDPR?

Red_Leaves_Flyy4y ago

Who's going to blink first though?

erellsworth4y ago

Good question.

type04y ago

It doesn't and they know that.

Muromec4y ago

What is really strange about this data leak is what is missing in it. I see at least two countries that aren't there.

Strom4y ago

The leak contains 105 countries, so there's quite a bit more than 2 that are missing - more like a hundred.

DougN74y ago

Really? Which two?

Muromec4y ago

Ukraine and Thailand are missing from the "533M records" dump.

Imnimo4y ago

Maybe they could save time by notifying the people who were -not- affected.

yepthatsreality4y ago

That’s fine. This has pushed me to close my last remaining account with them in the next 24 hours, so they won’t need to send me a breach notice after they’re sued for it.

Thanks Facebook admin for the encouragement to speed up my plans!

1-64y ago

Sometimes I wonder if the data from the cameras on my Oculus Quest 2 is being sent to FB's servers and kept. I guess I'll never know.

fshbbdssbbgdd4y ago

It’s going over your wifi, right? To start, you could evaluate whether the upload bandwidth could fit a video signal.

shock-value4y ago

I think there is no doubt it isn't uploading a raw video signal. But all kinds of things could be derived from that video and uploaded.

2 more replies

dmitrygr4y ago

Better lower that bandwidth requirement estimate:

https://www.engadget.com/reddit-movie-floppy-disk-vcr-180230...

bostonsre4y ago

Yea.. felt like I sold my soul when I bought one and needed to create a fb account. But in death: unchained is so damn fun. I've always wondered if they operate oculus at a massive loss all so that they can collect a bunch of data. Does anyone know if the facebook info dump stuff shows what oculus data they collect?

ipaddr4y ago

Yes data is shared and kept. Now you know.

benja1234y ago

To be fair I don’t think I have ever been notified by any company when my data has been leaked and according to haveibeenpwned that has happened quite a few times.

I am not a lawyer, but I find myself wondering if they are binded to GDPR in this case as judging from online articles the actual “leak” itself may have happened prior to May 2018. It also maybe that the nature of the PII itself is not such that it needs to be reported to the users (no passwords, private messages etc...)

cdolan4y ago

I have been notified many times by reputable firms that my data has been taken, even if it was just a password.

Most of the stuff that I appear on havibeenpwned for is some strange data brokerage that probably grabbed my data from another hacked brokerage, etc

auiya4y ago

Facebook is probably also not planning to pay out hefty fines for GDPR violations, but alas...

varispeed4y ago

That's what I thought. GDPR was created mainly to spend tax payer money on thousands of meetings, lawyers, dinners, conferences and whatever else was possible just to tick few boxes, give people false sense of security and pat themselves on the back while salivating over buffed up bank accounts. For such a blatant disregard for the law, surely they should have been fined by now? Given that they can just exist like that it seems to me they are probably selling or supplying governments with information about citizens, so they may be above the law because of that.

scottmcleod4y ago

A scrape is not a leak

pmlnr4y ago

Well, FB doesn't allow me to export my own contacts' details - email, phone number, etc - with it's data export, so no, this is a leak.

j / k navigate · click thread line to collapse

93 comments

bassdropvroom4y ago

So after longing it out, today I had a look on haveibeenpwned, and it seems I am one of those whose data has leaked.

After re-reading all of the events of this breach, it seems that the exploit was fixed in Aug 2019 (as claimed by Facebook). I had deleted my account some 2 years prior to that.

Either these attackers have had access for over 2 years, or Facebook has not deleted my data, and likely everyone else's data either.

What can an individual, or perhaps everyone affected, do in this scenario?

nuclear_eclipse4y ago

sorokod4y ago

But then again, Occam's razor would suggest that FB never deleted the data in the first place.

By the way, data is not "making its way back" like some sort of salmon trying to get back to the source, it is forcefully harvested by FB.

1 more reply

pieter_mj4y ago

Check out the following twitter thread : https://twitter.com/carolecadwalla/status/137983433288654029...

So while we do not know and can only assume deleted data is merely indicated by a flag and not really deleted, this exploit does not include data from closed/deleted accounts.

FB doesn't allow user access to/control of/deletion of shadow account data, which is in violation of the GDPR.

eloff4y ago

My phone number is in haveibeenpowned. Maybe it's from another leak? I deleted my Facebook account years ago and it doesn't have my new number. WhatsApp does.

bassdropvroom4y ago

I only recently deleted my WhatsApp, so could very well be. Though, according to HIBP it's from the same leak that has recently become known, but who knows.

1 more reply

HNfriend2344y ago

marshmallow_124y ago

amacalac4y ago

Yeah, can you imagine them having to tell Zuck his number got leaked. He's gonna be furious!

Source: https://www.androidauthority.com/mark-zuckerberg-signal-1215...

imoverclocked4y ago

I guess his users can now call him directly to air grievances over data leaks.

Johnny5554y ago

Aren't they required to disclose this, at least to California residents, under California's data breach disclosure laws? Or was it not the type of PII covered under the law?

bostonsre4y ago

The July 2019 FTC settlement requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident."

Seems like it.

nolok4y ago

In EU law too. Booking.com just got convicted half a million just for notifying TOO LATE (two weeks after the fact).

I assume they expect to claim it's not a fb leak in some convoluted way, otherwise I don't understand that move.

pmlnr4y ago

1 more reply

dpifke4y ago

All 50 states have some form of data breach notification law, not just California: https://www.ncsl.org/research/telecommunications-and-informa...

sxp4y ago

Does the law apply here? https://about.fb.com/news/2021/04/facts-on-news-reports-abou... says the breach was in 2019. What was the CA law at that time?

t0mas884y ago

I'm curious to see the total in GDPR fines from this for Facebook. Will probably take a year or two before we know.

nerbert4y ago

At this point they must be like a deer in front of the flashlights, hoping the car will dodge them.

1 more reply

challenglyOP4y ago

3 more replies

newswasboring4y ago

Not happening because at best FTC can fine them. That is just cost of business to them these days. Its part of their move fast and break things philosophy.

smsm424y ago

Too big to follow laws?

iso16314y ago

Facebook today closed at a record high of 309, up from 299, on the first trading day after this leak hit the press. It has since increased to a higher record high (currently 312 with 10 minutes left)

1-64y ago

Wall Street fueled by Jim Cramer's FAANG doesn't care about consumer privacy.

Cookingboy4y ago

Because Wall Street realizes even consumers don't care about consumer privacy.

If Ashley Madison and Equifax walked away with barely a scratch from their catastrophic breaches, then this is almost nothing in comparison.

3 more replies

blackearl4y ago

Wasn't this leak already 2 years old? Just because the media decided to pump it up this week doesn't mean it just happened.

I've also yet to see anything real come of these kinds of leaks.

omnimike4y ago

iso16314y ago

Because the data is now widely available to anyone and his dog

grenoire4y ago

Priced in, as usual (not even meme-ing).

m12k4y ago

What's the maximum fine under GDPR? It's some percentage of global revenue, right?

pilsetnieks4y ago

paulpan4y ago

adamsvystun4y ago

This is disappointing. Admitting the mistake is crucial in the process of fixing the problem. This just shows that they have learned little after all the company has been through.

dylan6044y ago

>This just shows that they have learned little after all the company has been through.

This is just yet another example of that. It's not like we didn't realize they don't care until this instance. It's hard wired in the DNA, and this is just more evidence of that.

1 more reply

smsm424y ago

MattGaiser4y ago

Admitting the mistake, not admitting the mistake publicly.

sigmonsays4y ago

how is this acceptable?

i'm glad I quit facebook long ago but this angers me for the people who dont stay up to date on security breaches.

bhaavan4y ago

Well this breach is an old breach from 2019. People should stay up to date with security breaches.

ce44y ago

Wasnt there some hints that parts of the leaked PII are more recent?

1 more reply

dylan6044y ago

why would we need to? it's all of the news, so the people have been notified. --Facebook

woudsma4y ago

And they apparently also didn't plan on deleting my PII (phone number was in the leak), even after I permanently deleted my account at FB over 3 years ago.

I thought I had the 'right to be forgotten' because of the GDPR, as I'm a European citizen. Has there been any real enforcement of these laws aside from the relatively small fine here and there?

t0mas884y ago

If you're in Europe you can file a complaint with your local data protection agency. They will definitely already have some investigation on Facebook so this just adds more to it.

smcl4y ago

Here is how you find that, by the way: https://edpb.europa.eu/about-edpb/board/members_en

varispeed4y ago

aminozuur4y ago

The data was scraped years ago and just released now. Only the things you shared publicly already, such as your first and last name on Facebook, were "leaked", except for a few private phone numbers.

woudsma4y ago

1 more reply

anonu4y ago

hetspookjee4y ago

varispeed4y ago

mrweasel4y ago

Won't that get them in trouble in the EU? I had to check, but the GDPR was implemented in 2018, and the leak was in 2019.

benja1234y ago

It’s not clear which leak the data is from. From the articles I read there were two leaks that the data may have come from. One in 2018 and one in 2019.

drusepth4y ago

In either case, it seems like they would have notified users (if at all) when they were alerted to the leak and fixed the vulnerability.. not 2-3 years later.

2pEXgD0fZ5cF4y ago

You can count on the people at Facebook to do the wrong thing

erellsworth4y ago

Doesn't this mean they will get fined out the arse by Europe under the GDPR?

Red_Leaves_Flyy4y ago

Who's going to blink first though?

erellsworth4y ago

Good question.

type04y ago

It doesn't and they know that.

Muromec4y ago

What is really strange about this data leak is what is missing in it. I see at least two countries that aren't there.

Strom4y ago

The leak contains 105 countries, so there's quite a bit more than 2 that are missing - more like a hundred.

DougN74y ago

Really? Which two?

Muromec4y ago

Ukraine and Thailand are missing from the "533M records" dump.

Imnimo4y ago

Maybe they could save time by notifying the people who were -not- affected.

yepthatsreality4y ago

That’s fine. This has pushed me to close my last remaining account with them in the next 24 hours, so they won’t need to send me a breach notice after they’re sued for it.

Thanks Facebook admin for the encouragement to speed up my plans!

1-64y ago

Sometimes I wonder if the data from the cameras on my Oculus Quest 2 is being sent to FB's servers and kept. I guess I'll never know.

fshbbdssbbgdd4y ago

It’s going over your wifi, right? To start, you could evaluate whether the upload bandwidth could fit a video signal.

shock-value4y ago

I think there is no doubt it isn't uploading a raw video signal. But all kinds of things could be derived from that video and uploaded.

2 more replies

dmitrygr4y ago

Better lower that bandwidth requirement estimate:

https://www.engadget.com/reddit-movie-floppy-disk-vcr-180230...

bostonsre4y ago

ipaddr4y ago

Yes data is shared and kept. Now you know.

benja1234y ago

To be fair I don’t think I have ever been notified by any company when my data has been leaked and according to haveibeenpwned that has happened quite a few times.

cdolan4y ago

I have been notified many times by reputable firms that my data has been taken, even if it was just a password.

Most of the stuff that I appear on havibeenpwned for is some strange data brokerage that probably grabbed my data from another hacked brokerage, etc

auiya4y ago

Facebook is probably also not planning to pay out hefty fines for GDPR violations, but alas...

varispeed4y ago

scottmcleod4y ago

A scrape is not a leak

pmlnr4y ago

Well, FB doesn't allow me to export my own contacts' details - email, phone number, etc - with it's data export, so no, this is a leak.

j / k navigate · click thread line to collapse