Facebook has declined to accept responsibility in a recent breach that compromised the phone numbers of 533 million users.
In an April 6th blog post, Facebook product management director Mike Clark attempted to address the breach, which was first discovered on April 3rd by Alan Gal, of the cybercrime intelligence firm Hudson Rock.
Gal noted that birth dates, locations, email addresses and more were leaked on top of the phone numbers. In particular, 3.5 million Canadians were affected, says Gal.
However, Facebook is now downplaying what happened while ostensibly attributing blame to the users who had their information leaked.
“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” Clark wrote.
Notably, this semantics argument of “scraping” vs. “hacking” is exactly what Facebook used when it was revealed in 2018 that it enabled Cambridge Analytic to access the data of 87 million users without permission.
In the new blog post, Clark also said that these “malicious actors” were only able to “obtain a limited set of information about those users included in their public profiles,” which “did not include financial information, health information or passwords.”
On top of that, Clark says Facebook became aware of this exploit in 2019, but Securinti’s Inti De Ceukelaire called this a “blatant lie” on Twitter. Per De Ceukelaire, he had notified the social network of the issue two years prior.
They also claim to have 'found' the issue in 2019 – which is a blatant lie. I reported the issue to them in 2017 – they said "we might tweak rate limits in the future" and blamed users for not understanding their kafkaesque privacy settings.https://t.co/0xLpXvbonw pic.twitter.com/57yHrmYViJ
— Inti De Ceukelaire (@intidc) April 6, 2021
In any event, as noted by Business Insider‘s Aaron Holmes, Clark’s repeated mentioning of this happening in 2019 appears to be an effort to imply it’s “old news,” despite the fact that this is the first time that Facebook is fully explaining the breach.
Instead of apologizing for the incident, though, Clark simply asserts that users should keep their security settings up-to-date.
“While we addressed the issue identified in 2019, it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly,” Clark said.
“In this case, updating the ‘How People Find and Contact You’ control could be helpful. We also recommend people do regular privacy checkups to make sure that their settings are in the right place, including who can see certain information on their profile and enabling two-factor authentication.”
Clark didn’t outline any further steps the company might take to keeping Facebook more secure.
Update 09/04/2021 at 10:05am ET: Facebook has reached out to MobileSyrup to stress that this incident wasn’t the result of a hack. The company notes that scraping is a common practice — one that did happen to Linkedin earlier this week, for example — and that the information included in the database was public information listed on users’ profiles.
We’ve also updated the language of this story to reflect that this wasn’t a hack.