Facebook has officially responded to the data leak of over 522 million Facebook users, stating that the data in question was obtained by scraping it from the platform prior to September 2019.
First reported by Business Insider, the information of over 533 million Facebook users from 106 countries, including phone numbers, Facebook IDs, full names, locations, birthdates, and email addresses, was leaked online.
Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, first discovered the leaked data and shared on Twitter how a Telegram bot was being used to sell mobile phone numbers of Facebook users.
Facebook, in a blog post on Tuesday, said that malicious actors had obtained the data via scraping and not by hacking into its systems.
“Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this. The methods used to obtain this data set were previously reported in 2019,” the social media major said in a blog post.
Instagram, WhatsApp and Facebook restored after global outage
“As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” it said.
Contact importer feature
The tech giant further detailed how the data was likely scraped using its contact importer feature.
“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists,” it said.
“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users,” it said.
“Through the previous functionality, they were able to query a set of user-profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords,” it added.
According to the Business Insider report, the entire dataset has been posted on a hacking forum for free, accessible to anyone with basic data skills. The dataset also includes data of Facebook CEO Mark Zuckerberg, as per reports.