Despite the personal data of hundreds of millions of Facebook users having been recently leaked online, the company says it has no plans to notify the affected individuals.
Made possible by a bug in the platform’s contact syncing feature, the incident is said to have affected 533 million users across 106 different countries, exposing personally identifiable information (PII) such as names, email addresses, phone numbers and more.
Asked to justify the decision not to alert the victims, a Facebook spokesperson explained the company does not yet have a full view of the specific users caught up in the breach. The fact that remedying the issue required no action on the part of users is also said to have contributed to the decision.
Facebook data breach
The leak was first discovered by security researcher Alon Gal, co-founder of security research company Hudson Rock, who spoke to a number of affected users to verify the legitimacy of the data.
After the incident came to light, Facebook stepped in to clarify that the data was not stolen via hacking, but rather scraped from the platform. Nonetheless, the type of information exposed could still lay the foundation for various future attacks on the affected individuals.
In many cases, companies are legally obligated to notify both regulators and victims after a data breach. However, various complexities and disparities between rules in different territories (and even different states) mean notification requirements do not always apply.
In the UK, for example, a company is required to notify the victims “if a breach is likely to result in a high risk to the rights and freedoms of individuals”. Even then, this duty does not apply if the stolen data had been securely encrypted before it was stolen or if measures were taken after the fact to limit the scope of the potential damage.
If nothing else, however, it is traditionally seen as good faith for a company to alert customers directly after a cybersecurity incident of this kind. But in this case, Facebook users will need to take proactive steps to find out whether their data was compromised.
How to check if your details were leaked
Checking whether your data was exposed is very simple; just visit Have I Been Pwned and enter your email address or phone number.
The site is run by security researcher Troy Hunt and is dedicated to alerting people to whether or not their personal details have been leaked in any major security breaches.
If your email address (and other data attached to your account) has been leaked, Have I Been Pwned will let you know which particular breach it was involved in, and the site or service that was affected.
If you discover your data has been compromised, whether in this breach or any other, it’s recommended that you change your passwords and remain alert to the possibility of SMS and email phishing attacks.
As ever, it’s important to use strong passwords that cannot be easily guessed and never to reuse credentials across multiple online accounts, which is made a little easier with a secure password manager.