/Facebook Data Breach: How safe is your personal data on social media?

Facebook Data Breach: How safe is your personal data on social media?


Facebook faces yet another controversy with the data breach of its 533 million users. The social media giant hit the headlines once again for the wrong reason after the data leak was reported by Alon Gal, CTO of cyber intelligence agency Hudson Rock in January 2021. Gal had highlighted that a Telegram bot was being used to sell the phone numbers for free. In the latest reports, a lot more useful info is available including email IDs, full names, locations, birthdates, etc. The breached accounts record for over 32 million accounts in the USA, 11 million in the UK, and 6 million in India.

The Social media giant, Facebook, has been in the news lately and facing scrutiny over how it handles the personal information of its users. Just when the company was clearing up its mess after a major security incident that exposed the account data of millions of users three years ago, reports emerged yet again of an alleged data breach, impacting half a billion Facebook users from 106 countries.

As we know it’s already been a bumpy ride for Facebook after the Cambridge Analytica scandal, the company was scrambling to regain its user’s trust and the news of yet another data breach has knocked down Facebook’s reputation one more time.

This time Facebook confronted a massive data breach of its 533 million users. The social media giant hit the headlines once again for the wrong reason after the data leak was reported by Alon Gal, CTO of cyber intelligence agency Hudson Rock in January 2021. Gal had highlighted that a Telegram bot was being used to sell the phone numbers for free. In the latest reports, a lot more useful info is available including email IDs, full names, locations, birthdates, etc.

The breached accounts record for over 32 million accounts in the USA, 11 million in the UK, and 6 million in India.

For the past two years, we have been hearing the apologies, explanations, and promises from the company, but it seems that Facebook is either too vulnerable or maybe too swamped to handle the privacy of its users worldwide.

The news of the most recent breach could not come at a worse time for Facebook. The company has already been buffeted over the 2018 Cambridge Analytica scandal. And this time the company has suffered a breach of private information from 533 million accounts, even the company’s founder and CEO Mark Zuckerberg’s private credentials are part of it.

While this figure is staggering, there’s more to the story than 533 million sets of data.

Before jumping to conclusions let us rewind and look at the past breaches or scandals of Facebook.


The Past Scandals!

There is a big list of data breaches of Facebook, and all of them highlight the need for stricter data protection laws and accountability from the company not just by paying huge settlements but also coming up with ways to keep its user’s private information private!

If we look back, in 2007 Facebook released a product called ‘Beacon’ which was designed to help advertisers understand their audiences. This move was to monetize users on the platform. Through Beacon, user activity on other websites was added automatically to Facebook user profiles. To demonstrate what it’s trying to do, Beacon showed the titles of videos users rented from Blockbuster Video on the Facebook News Feed. However, this was a clear violation of the Video Privacy Protection Act and led to a class-action lawsuit. As part of the settlement, the social media giant had to pay $9.5 million to a fund for privacy and security.

And this was just a start, in 2009, the social media platform publicly published information that was marked private on users’ profiles. An investigation was issued by the Federal Trade Commission which forced Facebook to apologize to its users. It was also asked to promise better personal data management and protection.

A massive data breach happened in 2013, in which almost 6 million user data was affected. That year the company found a bug that had been exposing the personal information of over 6 million users to unauthorized parties and viewers for about a year. Exposed personal data included email addresses and phone numbers of Facebook users. Anyone who knew even one piece of information could access the data. This technical glitch began in the year 2012. However, it didn’t come to notice until 2013. Before publicly announcing that Facebook’s data leaked, apparently, it fixed the bug and reported the breach to those affected and regulators.

Another massive data breach turned into a scandal in 2014, the Cambridge Analytica Scandal. The news about the data misuse was disclosed in 2018 by Christopher Wylie, a former Cambridge Analytica employee, but it actually took place in 2014.

This marked the beginning of Facebook data breaches and the problems it faces with handling personal data.

The Cambridge Analytica Scandal is one of the most talked-about Facebook data breaches. The scandal began in 2014 when Cambridge Analytica, a data-driven startup asked users to fill in reviews on the Turkopticon website (a third-party site for reviews for Amazon’s Mechanical Turk). It was followed by a task by Aleksandr Kogan that asked users to fill a survey in exchange for money. To fill in the survey, users were asked to download an application – thisisyourdigitallife – to their Facebook accounts.

The app then downloaded a huge amount of personal information, such as the user’s demographic data, likes, friend lists, and some private messages. The app broke the terms of service of Facebook’s but remained in place till December 2015 by which more than information of over 85 million had been harvested by Cambridge Analytica. The data was later used for marketing-related activities and fake news stories. This data also provided analytical assistance to the 2016 presidential campaigns of Ted Cruz and Donald Trump.

This incident entirely proved that the digital data of Facebook users are not at all in safe hands.

After this in 2018, the company uncovered a new bug in the social media platform that overrides the blocklist of users. In yet another privacy failure, the social media giant admitted that more than 800,000 users were affected by this bug on Facebook and Facebook Messenger.

In 2019, another news surfaced on the internet in which, Brian Krebs, a cybersecurity expert reported that the social media company has been storing passwords of millions of users in plaintext files. These files were accessible to over 2,000 employees of Facebook. The social media company didn’t say why or how it had been saving user passwords in such a manner. Later, it was discovered that the passwords of millions of Instagram users were also saved in the same manner. The total number of affected Instagram and Facebook users is estimated to be at least 600 million. The actual number might be much higher.

In July 2020, Zuckerberg-led company admitted to sharing user data with about 5000 third-party app developers, even after the expiry date of data access authorization. Facebook said that it had fixed the issue, however, a mistake allowed 5,000 developers access to receiving user data for longer than the expiry date.


What happened in 2021!

The company was yet again in news, in April 2021 it was reported that the personal data of more than 533 million users of Facebook had been posted on a website to be misused by hackers. This Facebook data breach was reported by Alon Gal – Chief Technology Officer of Hudson Rock.

The data breach had a lot of personal information of users exposed, including their full name, date of birth, gender, email address, phone number, Facebook IDs, Facebook bios, location, and job status. The Facebook data leak 2021 included records of 6 million users from India, 11 Facebook users from the UK and 32 million users from the US.

The company claimed that the hackers obtained user data through data scraping — a process used by people to import data from a website onto a local file that is saved on a computer. The social networking giant also stated in a blog post that the specific issue that allowed this scrape to happen no longer exists since 2019.

Really? Can you believe that?

Clearly, in the case of Facebook, criminals can mine Facebook’s systems for users’ personal information by using techniques that automate the process of harvesting data.

On this, Paranjoy Guha Thakurta, a senior journalist, and a writer said, “As the Cambridge Analytica Episode repeats, Facebook claims it is mindful of protecting the privacy of its users, but the reality is something else. Hackers have been able to infiltrate Facebook’s systems, mined personal data, and presumably sold the data for profit. Whatever, Mark Zuckerberg or others may say about how much Facebook respects and protects the privacy of its users, the reality seems quite different. And the most recent incident of the hack that has taken place revealed that Facebook has a long-long way to go before it is able to protect its systems from being misused and abused.”


Where is this data now and for what it can be used?

We all know the stolen information goes to just one place, the Dark Web. And this information picked or obtained from the Dark Web, can be used to send spam emails, make calls, mount phishing campaigns, and target advertising. It can be used to plot and execute various nefarious online fraud schemes. Hackers can impersonate users and transfer cash on their behalf, without their knowledge.

The database of private information is available on the dark web for anyone to sift through. As per reports from cyber intelligence firm, Hudson Rock, this data was now being sold to various groups on the cloud-based messaging app Telegram. Recently the data set seems to be popping up on various hacker forums all across the internet.

On this issue, Rakshit Tondon, a Cyber Security Expert has said, “Data breaches are becoming a serious concern today, because as we all understand that data is the new gold, data is the new oil, and I think in the last couple of months every second day we are hearing a data breach happening like recently in the news from Facebook, then LinkedIn. And we as consumers, are trusting these applications and giving all our information, but this really acts as a booster to cybercrimes when these data breaches take place.

Because I have seen a trend whenever these data breaches are taking place, the cybercriminals or hackers get a boost. Because they have hands-on personal information like user’s passwords, and surprisingly we have seen that these companies are not treating passwords as well-encrypted. I have seen places where passwords are stored in the databases as simple text, so that means there are compliance issues there.

Organizations like these must be very proactive about data security. In India, we are still waiting for the Data Protection Law, as we heard under the GDPR these companies are tremendously fined if something like this happens. But here in our country, we are still waiting for the Law to be implemented, and I think it will act as an immunity once it comes out. After this, the companies will become serious about data protection.

There is a lack of Cyber Hygiene, and I think it is high time that all companies look at cybersecurity pro-actively and this ongoing pandemic has at least taught us this much that rather than waiting for something to happen we must act pro-actively. Giving out your personal information is a threat.”

Nitin Agarwal, CTO, Locobuzz Solution, has also enlightened us on this issue, she said, “In recent history, we have seen some of the worst data breaches occur around the world, and unfortunately, this is going to continue happening. As companies adopt better ways of securing their servers and customer’s data, hackers are motivated to find more loopholes to gain access to these servers. Frequent security audits and a robust security policy are a need of the hour, but the companies must also look at what kind of security policies or framework the 3rd-party integrator follows. This is critical because the weakest link in the security is the entry door for hackers to get into your system.

Secondly, companies should rely less on people in terms of managing their security keys and other critical information. This is because people can be easily manipulated into giving the information to an unauthorised user. That said, even as a consumer of services we have a responsibility to protect our data. Security and privacy are a combined responsibility of both the consumer and the service provider. The more we take control of it, the better.”


How did Facebook react to this!

We all know the time when the Cambridge Analytica Scandal news broke in 2018, Mark Zuckerberg’s initial response was a long and deafening silence. After which he was summoned in from of a Congress Committee.

The founder and CEO of Facebook – the man with total control over the world’s largest communications platform, addressed the public, and said – “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.”

And yet we are here!

Since 2018 what has changed is how we saw those facts. It was as if we all had gone away with it but the fear of losing the private information haunts the users every time a new Facebook breach is in news.

Every time Facebook is in news because of a data breach its PR team is engaged with self-defeating arguments over whether what had occurred.


What’s Next?

Almost every company has suffered a big data breach at some point in time, but only Facebook has endured such an existential reckoning. That’s because what happened with Cambridge Analytica was not a matter of Facebook’s systems being infiltrated, but of Facebook’s systems working as designed: data was amassed, data was extracted, and data was exploited.

If you are looking for an answer on what you should do to safeguard your personal information, we have nothing for you. Maybe you should delete your Facebook account!

Or another way could be by deciding to not share any information that could harm you in the future. Don’t share anything on the platform that you do not want to end up being available publicly. Moreover, enable two-factor authentication for an added layer of security.

Pahi Mehra is a hardcore journalism enthusiast, she holds a degree in Journalism and Mass Communication from IIMM. She loves to travel and explore and believes in world peace.

Leave a reply

Your email address will not be published. Required fields are marked *