Huge Facebook leak that contains information about 500 million people came from abuse of contacts tool, company says
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Facebook says that a vast trove of personal information, uploaded freely to the internet, was harvested as part of a feature gone wrong.
The data was not stolen in a hack but instead through malicious users of its “contact importer”, it said. Though that feature was intended to allow people to upload their contacts from their phone to Facebook, and find people they might know, malicious actors were able to use it to scrape the personal information of people who were already on the platform.
That happened before September 2019, Facebook said in a blog post, and the bug that made it possible has now been fixed. But over the weekend it became clear that the data had become availably publicly online, vastly increasing the risk that anyone involved in it might face.
That includes 535 million accounts, which belong to people including chief executive Mark Zuckerberg. Online tools allow anyone to check if their information – including their phone number – is part of the leak.
Facebook’s explanation for the data explains why some of that data was initially hard to understand, and it had taken longer than usual for researchers to uncover and explain its full size. The data was not stolen from Facebook directly, but instead “scraped”, using automated software to gather information that had been intentionally or accidentally made public.
Read more:
“This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services,” Facebook said in a blog post. “As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists.”
It said that the information “did not include financial information, health information or passwords”.
Facebook said that it was “working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible. While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work”.
It also advised people to check their privacy settings, to ensure that information is locked down and can’t be scraped. It also advised users to turn on two-factor authentication, which adds extra checks when people log in, and should help protect against hacks.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments