Since April 3, the emotion has been lively. The data of more than half a billion Facebook users circulate freely on the Web: name, phone number, marital status, e-mail address, etc. This is undoubtedly a new high in the history of personal data mismanagement at Facebook. It is also the opportunity to make a small selection of the biggest fiascos that this social network has delivered to us during the last three years.
January 2021: prelude to today’s disaster
Earlier this year, security researcher Alon Gal launched an alert on Twitter: he revealed the existence of this file of 533 million Facebook users. At the time, it was not available for free. Each account cost about twenty dollars. Facebook reaction: none.
All 533,000,000 Facebook records were just leaked for free.
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
– Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
December 2019: Vietnamese scraping
Comparitech researchers come across an Amazon server containing the data of 267 million users. The data type is quite similar to the 533 million user base. Vietnamese suspected cybercriminals likely exploited the reverse phone number lookup feature to collect them en masse. In March 2020, researchers discovered a second server from the same group of cybercriminals, with data from 42 million users.
September 2019: “scraping”, act 1
GDI Foundation researchers find an open access server with the data of 419 million Facebook users. This data is redundant and ultimately reduces to 219 million users. Faced with this enormity, Facebook explains that “This database is old and appears to contain information obtained before we removed the functionality for people to find other people using their phone numbers”. Indeed, this reverse directory functionality was removed … in April 2018.
April 2019: third-party apps siphon off the graph
UpGuard researchers detect multiple Amazon servers with, in total, more than half a billion lines of Facebook data: comments, reactions, groups, passwords, email addresses, and more. This rubbish was collected by third-party applications that at one time could quite easily access the Facebook graph. In this case, several hundred million users were probably affected.
December 2018: data sharing
” We apologize for the inconvenience “Facebook writes after unintentionally sharing the private photos of 6.8 million users with third-party apps. A bug in the programming interface allowed Facebook partners to access photos that were normally forbidden to them. But this story is nothing in the face of the revelation made by the New York Times that same month. For years, Facebook would have thus shared the data of its users with the giants of Silicon Valley in all discretion, within the framework of secret commercial deals.
September 2018: theft of authentication tokens
It also happens that Facebook’s servers are hacked, as in September 2018, when hackers managed to siphon the personal data of 50 million users. To achieve this, they exploited loopholes in the “View as …” function to get their hands on user access tokens, which allowed them to log into their accounts outright. Royal. Among the stolen data are name, sex, date of birth, religion, place of residence, the last 10 geolocations, etc.
March 2018: the Cambridge Analytica scandal
The Guardian and The New York Times explode the scandal around Cambridge Analytica, the company that siphoned data from 87 million users to create their psychological profiles and facilitate Donald Trump’s victory. This case shows, for the first time, the frightening power that Facebook holds with its incredible treasure of personal data.