Facebook this week published a 500-word blog post addressing the leak of phone numbers from 533 million users, but declined to take responsibility or apologize for the breach, instead placing the blame on pre-2019 policies that enabled the behavior.
According to Mike Clark, Facebook's Product Management Director, the leak traces back to a vulnerability in a contact importer tool that allowed scammers to "imitate our app and upload a large set of phone numbers to see which ones matched Facebook users." The tool was intended to allow Facebook users to find friends on the platform, but bad actors also took advantage of it.
“Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles,” Clark wrote. “The information did not include financial information, health information, or passwords.”
Still, they scraped millions of profiles and dumped the info into unsecured databases. And while Facebook limited that contact importer tool in 2019, the scraped data is still floating around the web. And that's where the 20GB database containing the 533 million phone numbers (as well as Facebook IDs, people's full names and locations) came from. It's now circulating within hacking circles and forums via a torrent.
Facebook, however, does not plan on notifying affected users. And Clark’s blog post ignores the real problem: when combined with software automation, the vulnerability enables you to plug in numerous phone numbers, and learn the identities behind them. (For example, the 20GB database circulating online even has Facebook CEO Mark Zuckerberg's information, including what appears to be his personal phone number.)
Clark’s blog post does not acknowledge that most people don’t want their personal phone number out on the open web, let alone in the hands of scammers and cybercriminals. The company's reticence is likely about trying to avoid regulatory scrutiny. In July 2019, the social network reached a $5 billion settlement with the US Federal Trade Commission over the Cambridge Analytica scandal and other alleged privacy violations.
Under the deal, Facebook likely should have notified the FTC about the contact importer tool vulnerability, and how it may have exposed users' personal information, notes Ashkan Soltani, the former chief technology officer for the FTC. But whether the company did remains unclear.
The FTC declined to say if it's investigating Facebook over the data leak. But Ireland’s Data Protection Commission is demanding answers from Facebook over the data scraping.
The only solace Facebook can give to affected users is its commitment to try and take down the 20GB of data. “While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work,” Clark wrote. His blog post also suggests that users update their privacy settings.
To find out whether you were affected by the leak, don't count on Facebook. You’ll have to use a third-party website, such as Haveibeenpwned.com.
To limit who can find you via your phone number, go to Settings & Privacy > Settings > Privacy Settings > How People Can Find and Contact You > Who can look you up using the phone number you provided? in the mobile app. Here you can choose between Everyone, Friends of friends, Friends, and Only me.