Skip to Content
MIT Technology Review
  • Featured
  • Topics
  • Newsletters
  • Events
  • Podcasts
    • Sign in
    Silicon Valley

    What you need to know about the Facebook data leak

    The data trove, uncovered by security researcher Alon Gal, includes phone numbers, email addresses, hometowns, full names, and birth dates.

    April 7, 2021
    Zuckerberg
    AP

    The news: The personal data of 533 million Facebook users in more than 106 countries was found to be freely available online last weekend. The data trove, uncovered by security researcher Alon Gal, includes phone numbers, email addresses, hometowns, full names, and birth dates. Initially, Facebook claimed that the data leak was previously reported on in 2019 and that it had patched the vulnerability that caused it that August. But in fact, it appears that Facebook did not properly disclose the breach at the time. The company finally acknowledged it on Tuesday, April 6, in a blog post by product management director Mike Clark.

    How it happened: In the blog post, Clark said that Facebook believes the data was scraped from people’s profiles by “malicious actors” using its contact importer tool, which uses people’s contact lists to help them find friends on Facebook. It isn’t clear exactly when the data was scraped, but Facebook says it was “prior to September 2019.” One complicating factor is that it is very common for cyber criminals to combine different data sets and sell them off in different chunks, and Facebook has had many different data breaches over the years (most famously the Cambridge Analytica scandal).

    Why the timing matters: The General Data Protection Regulation came into force in European Union countries in May 2018. If this breach happened after that, Facebook could be liable for fines and enforcement action because it failed to disclose the breach to the relevant regulators within 72 hours, as the GDPR stipulates. Ireland’s Data Protection Commission is investigating the breach. In the US, Facebook signed a deal two years ago that gave it immunity from Federal Trade Commission fines for breaches before June 2019, so if the data was stolen after that, it could face action there too.

    How to check if you’ve been affected: Although passwords were not leaked, scammers could still use the information for spam emails or robocalls. If you want to see if you’re at risk, go to haveibeenpwned.com and check if your email address or phone number have been breached.  

    Keep Reading

    Most Popular

    Geoffrey Hinton tells us why he’s now scared of the tech he helped build

    “I have suddenly switched my views on whether these things are going to be more intelligent than us.”

    ChatGPT is going to change education, not destroy it

    The narrative around cheating students doesn’t tell the whole story. Meet the teachers who think generative AI could actually make learning better.

    Meet the people who use Notion to plan their whole lives

    The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.

    Learning to code isn’t enough

    Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.

    Stay connected

    Illustration by Rose Wong

    Get the latest updates from
    MIT Technology Review

    Discover special offers, top stories, upcoming events, and more.

    Thank you for submitting your email!

    Explore more newsletters

    It looks like something went wrong.

    We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.