Five hundred million Facebook users' phone numbers and email addresses were recently leaked on the dark web, and news reports indicate that Facebook had years to fix the problem (before the 2019 data breach took place). In response, Facebook is spinning the story that it is the user's fault that the information was leaked.
The Data Breach That Caused the Problem
Facebook is no stranger to data breaches due to faulty privacy and security features. However, in 2019, Facebook suffered a massive data breach or, as they are calling it, "scraping" where fraudsters created a massive database of millions of users then used the Facebook feature that imports all of your "friends" that match up with your own contact list, collecting millions of users’ data.
According to Wired Magazine, in 2018, the Office of the Privacy Commissioner of Canada and the Office of the Data Protection Commissioner of Ireland performed an investigation resulting in the determination that "Our Office finds that FB did not have appropriate safeguards in place prior to the breach in order to protect the personal information of users and non-users."
Their findings also proved that it was incredibly easy to reveal private phone numbers from inside Facebook, pointing to further privacy infrastructure flaws.
Facebook's Response to the Data Being Leaked
Initially, Facebook's response to call the data leak "old news" as though having that information out on the web wasn't damaging to users, which is it. Anyone's email address and phone number put them at risk for fraud.
In a blog post last week by Mike Clark, Facebook's Project Management Director, rather than apologizing, he stated,
"It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019."
Basically, Facebook is sidestepping the issue that their contacts import feature is flawed in that it allowed these hackers to "scrape" all the data they wanted. We have to assume that is not how the feature was originally intended, but it also does not protect Facebook users' privacy.
Vice Magazine took issue with many of the statements made by Clark in his blog posted last Tuesday. The most aggravating of comments was when Clark put it back on the users rather than accept responsibility for Facebook's shortcomings. He started by commenting that "This feature was designed to help people easily find their friends to connect with on our services using their contact lists." He followed it up with the slightly veiled accusation that it's on you to protect your own privacy with, "While we addressed the issue identified in 2019, it's always good for everyone to make sure that their settings align with what they want to be sharing publicly."
Basically, Facebook expects users to protect their own privacy while using these online services. Clark provided tips for users to do that, "In this case, updating the 'How People Find and Contact You' control could be helpful. We also recommend people do regular privacy checkups to make sure that their settings are in the right place, including who can see certain information on their profile and enabling two-factor authentication."
Shockingly, Facebook, a $300 billion company, is putting it back on users to protect themselves. Perhaps the only real protection is not to use Facebook at all. If users were to boycott the popular platform, it might change their tune.
Help for Users
Even though Facebook is busy avoiding getting their hands dirty cleaning up the mess, Troy Hunt, the owner of the Have I Been Pwned website has uploaded the entire database so you can check to see if your information is among the breached Facebook data.