Massive Facebook data leak connected to undisclosed 2019 breach

Facebook product management director Mike Clark, in what smacks of an attempt to downplay the massive breach, explained the situation in a blog post published to the company's newsroom. Importantly, the post and additional reporting from Wired reveals a previously unreported breach of Facebook's systems.

Clark acknowledges a Business Insider report regarding a massive leak of data related to some 530 million Facebook users, but emphasizes that the information was scraped and not obtained through a hack. He adds that Facebook is "confident" that it rectified the issue.

"We believe the data in question was scraped from people's Facebook profiles by malicious actors using our contact importer prior to September 2019," Clark writes. "This feature was designed to help people easily find their friends to connect with on our services using their contact lists."

The cache of data, which included profile names, Facebook ID numbers, email addresses, locations, dates of birth, and phone numbers, appeared on a hacking forum over the weekend. Facebook initially pointed to a previously reported breach from 2019, but failed to disclose which instance it was referring to. The social network suffered a number of data-related fiascos in recent years, including the inadvertent release of 540 million records and discovered by security firm UpGuard in April 2019.

As reported by Wired, the new store of information was drawn from a vulnerability Facebook found in 2019. The problem, related to the platform's contact importer, was fixed in August 2019.

Facebook claims it disclosed the scraping operation in statements to media outlets, but Wired tracked down the reports and found they were related to an Instagram breach and a separate Facebook platform leak dating back to mid-2018. The company also failed to inform users individually or post a security bulletin on the matter.

Facebook is quickly moving past the issue of public disclosure and is pushing the narrative toward future actions it plans to take in a bid to secure users.

"We're focused on protecting people's data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible," Clark says. "While we can't always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work."