Clock 5 MINUTES

Facebook’s Data Breaches – A Timeline

Over the past few years, there have been countless stories of Facebook exposing user data. Here’s a look at all of the data breaches the social media company has experienced.

11 Mar
2020
SelfKey
Identity Wallet
key-icon

We’ve talked about Facebook and their issues with privacy abuse before. The company has a long history of failing to protect customer data going all the way back to its beginnings. Facebook seems to constantly be in the news for all the wrong reasons. It’s extremely telling that their largest ever ad campaign was to apologize.

Yet somehow, Facebook hasn’t had to face a major repercussion, and your personal data is still getting leaked regularly by the company. In fact, the social media company is single-handedly responsible for the most data leaked in 2019. Here we outline the many data breaches that Facebook has endured.

2013 – 6 million users

In June 2013, Facebook discovered a bug had been exposing the personal data of 6 million users to unauthorized viewers for over a year. User phone numbers and email addresses were exposed, and anyone who knew at least one piece of contact information or who had some type of connection to the person could access the data.

The technical glitch allegedly began in 2012 but wasn’t noticed until 2013. Facebook fixed the bug and apparently reported the breach to regulators and those affected by the breach before publicly announcing it. While it wasn’t the largest breach of the year, it marked the start of Facebook’s problems when it came to data.

May 2018 – 14 million users

If you’ve used Facebook before, then you know that there are different privacy settings for your posts and your profile. You can choose to share what you post with a specific list of people, your Facebook friends, or the entire world. However, a glitch in the system in May 2018 caused the normally private posts of 14 million users to be shared publicly without their knowledge or consent.

The bug was only active for five days, and Facebook quickly returned all posts to their normal privacy settings (ie. not public). Nevertheless, for those few days those posts were made publicly available, and the private lives of users were completely exposed. 

September 2018 – At least 50 million users

Not too long after the Cambridge Analytica scandal, Facebook experienced its second data breach. In September 2018, it was publicly announced that attackers had managed to gain access to somewhere between 50 to 90 million user accounts. The attackers could see everything on a user’s profile. Facebook also confirmed that third-party sites that those users logged into with their Facebook accounts could also be affected.

Facebook began investigations a couple weeks before the announcement, when it noticed unusually high spikes in access to user accounts. The situation turned out to be highly complex and relied on three separate bugs on the platform related to a Facebook feature that lets people see what their profile looks like to someone else. The “View As” feature allows users to experience how their privacy settings look to another person.

The first bug in the system prompted Facebook’s video upload tool to show up on the “View As” page. The second bug caused the video uploader to create an access token (which is what allows you to stay logged into your Facebook account on a device without having to log in every time) which gave the attackers the same sign-in permissions as the Facebook mobile app. Lastly, when the video uploader appeared in the “View As” mode, it provided an access code for whoever the hacker was searching for. The vulnerability on the site is believed to have been in existence since July 2017.

In response, Facebook logged out 90 million users across all platforms and asked them to log in again and reset their passwords. The “View As” feature was temporarily disabled. Mark Zuckerberg also announced that Facebook would be working with the FBI to investigate the breach.

The SelfKey Identity Wallet is a free identity solution for Windows, Linux and Mac. Get yours today!

March 2019 – At least 600 million users

Facebook’s first data breach of 2019 was a big one. In March, cybersecurity expert Brian Krebs reported that Facebook was storing hundred of millions of user passwords in plaintext files. Only employees could access these files, but that still means that account passwords were accessible to over 2,000 Facebook employees. In some cases, the records went all the way back until 2012. Facebook didn’t divulge why or how user passwords had been stored in such a way. 

A month later, it was revealed that millions of Instagram users had been affected as well; their passwords had also been stored in plaintext. Facebook reiterated that the passwords had not been compromised or improperly used in any way. The total number of Facebook and Instagram users affected is still unknown (as Facebook has refused to comment), but it is estimated to be at least 600 million, though the actual number is probably a lot higher.

April 2019 – 540 million users

The spring of 2019 was not a good time for Facebook. In April, it was discovered that hundreds of millions of Facebook user records were sitting on a public server. Oops. Researchers at the security firm UpGuard discovered the breach, and reached out to the Mexican company hosting the server, Cultura Colectiva, multiple times before the server was finally secured months later.

It’s unknown exactly how long user records were exposed for, or if anyone managed to take advantage of the situation. The data was only made private after Facebook became aware of the situation. Although Facebook isn’t directly responsible for this breach, it certainly added fuel to the growing fire. 

April 2019 – 1.5 million users

Going back to May 2016, Facebook had been harvesting the email contacts of 1.5 million new users when they opened their accounts. It will come as no surprise that the company was doing this without the consent or knowledge of its users. So how did it happen?

During the registration process, Facebook was asking new users to verify their email address by entering in their email password, a move that is widely condemned by security experts. Once the password for the email address was entered, their email contacts would automatically be imported. Facebook did not ask for permission to do this, and there was no way to stop or cancel the process as it was happening.

Facebook would then use the collected data to improve the performance of ads, make friend recommendations, and help build up the Facebook web of connections. Facebook said it wasn’t able to see the contents of emails, but being able to see who you are communicating with is still a pretty big privacy breach. With 1.5 million email address books connected, Facebook now had the details of millions of other people.

The company said it would delete the email contact lists, and that no one outside of Facebook had access to the data.

September 2019 – 419 million users

In a breach that feels a bit like Groundhog Day, the data of 419 million Facebook users was discovered sitting on an exposed server. If it sounds familiar, it’s because it also happened in April 2019. Each record contained a user’s unique Facebook ID and the phone number listed on the account. In some cases, the full names, gender and location of users were also listed.

Facebook did not own the server, and it’s unclear who it belonged to. We don’t know who scraped the information from Facebook’s systems or why, but only an employee (or a motivated hacker) would have that level of access. The server was taken down, and it remains to be seen if anyone has been affected by this breach. 

December 2019 – 309 million users

Facebook finished off 2019 with a bang when yet another database was left exposed. More than 300 million Facebook user phone numbers, names and user IDs were left unprotected on the dark web for nearly two weeks. Security expert Bob Diachenko, who discovered the breach, reported that it was the result of an illegal scraping operation or Facebook API abuse by hackers in Vietnam.

The estimate of those affected was originally 267 million. However in March 2020, it was discovered that a second server containing an additional 42 million records was exposed by the same criminal group, which brought the total up to 309 million. Once again, it is unknown if anyone was affected by the breach, but it definitely put users at risk to spam and phishing attacks. 

Conclusion – Protect your personal data

What’s clear from this list is that your data is not safe on Facebook. In 2019 alone over 1 billion user records were leaked, which equals half of all of Facebook users. So what can you do to protect your data?

The first thing to realize is that any online account can be breached. As a result, you should either delete your Facebook account or at least delete any information that could potentially harm you. Don’t share anything that you don’t want to end up publicly available. Enabling two factor authentication is also recommended.

The concept of Self-Sovereign Identity is key here, as it allows you to retain ownership over your data and simultaneously minimizes the information that is shared publicly. Check out SelfKey’s Identity Wallet to learn more about how you can be in control of your personal data.