Facebook has now responded to a recently reported data breach that may have affected more than 530 million users, saying the information was likely stolen from its servers in a newly disclosed incident from 2019.
Facebook's product management director Mike Clark explained the situation in a blog post published in the company's newsroom, which sounds like an attempt to downplay the massive breach. Importantly, the post and additional reports from Wired reveal a previously unreported breach of Facebook's systems reveal.
Facebook's contact importer is said to be to blame
Clark confirmed a Business Insider report about a massive data leak affecting around 530 million Facebook users, but stressed that the information was stolen and not obtained through a hack. He added that Facebook was "confident" it had fixed the problem.
We believe the data in question was siphoned by malicious actors from the Facebook profiles of people who used our Contact Importer before September 2019. This feature was designed to help people find their friends to connect with on our Services through their contact lists.
The cache of data, which included profile names, Facebook ID numbers, email addresses, locations, birth dates and phone numbers, surfaced on a hacking forum over the weekend. Facebook initially pointed to a previously reported data breach from 2019, but did not disclose which case it was referring to. The social network has suffered a number of data-related fiascos in recent years, including the accidental release of 540 million records discovered by security firm UpGuard in April 2019.
Facebook wants to take new measures to protect users
As Wired reports, the new dataset comes from a security flaw that Facebook discovered in 2019. The issue, which was related to the platform's contact importer, was fixed in August 2019. Facebook claims it disclosed the scraping operation in statements to media outlets. But Wired tracked the reports and found that they were related to an Instagram breach and a separate leak on the Facebook platform that dated back to mid-2018. The company also failed to inform users individually or publish a security guide on the issue. Facebook is quickly moving on from the issue of public disclosure and focusing on future measures it plans to take to protect users. Clark writes:
We are focused on protecting people's data by working to get this dataset removed, and we will continue to aggressively take action against malicious actors who abuse our tools wherever possible. While we can't always prevent datasets like this one from re-circulating or new ones from emerging, we have a dedicated team focused on this work. (Photo by r.classen / Bigstockphoto)
