Another day, another Facebook data leak
Apr 9, 2021

Another day, another Facebook data leak

There have been so many, even experts have a hard time keeping track.

Last weekend, a user in a hacking forum published the personal data of about 500 million Facebook users: their email addresses, phone numbers, birthdays and more. In a blog post Tuesday, Facebook said the recent data leak wasn’t a hack but was from “malicious actors” scraping and saving publicly available information in 2019.

Lily Hay Newman is a senior writer at Wired, where she reports about information security, digital privacy and hacking. Even she has a hard time keeping track of all the data leaks from Facebook. There were the other 500 million records exposed in 2019. The year before had a lot, too. More than 400 million profiles were scraped (or copied), while separately, data from 30 million users was breached. And who could forget the Cambridge Analytica scandal? The following is an edited transcript of our conversation.

A headshot of Lily Newman, senior writer at Wired, where she covers information security, digital privacy and hacking.
Lily Hay Newman (Photo courtesy of Hay Newman)

Lily Hay Newman: Yeah, as I was sort of toggling those off just now, I was really having to think back to make sure I had all my dates right, and years and numbers and everything, because there are a lot of similar situations that have come up at Facebook that, it just feels like there’s always something.

Meghan McCarty Carino: Because it’s not just that any one of these leaks might be superharmful, but sort of the cumulative effect when you add them all together, right?

Hay Newman: Right. And I think Facebook, they’ve really tried to say, “Look, this is all fairly public, anyway. This is names, phone numbers, things that would have been in a phone book a few decades ago.” But there really is a cumulative toll to all of this data getting into criminal circulation or public circulation. And the pressure and the volume and breadth of data really does mount over time, making it easier and easier to do all sorts of scamming, and scamming that can lead to deeper hacking. And it’s just this broader and broader picture of people around the world.

McCarty Carino: And sure, phone numbers used to be in the phonebook. But phone numbers have become a lot bigger of a security threat, given two-factor authentication and all of the things that we use our phone numbers for today, right?

Hay Newman: Mobile phones and mobile phone numbers, as you’re saying, created just a totally different ecosystem, and phone numbers became identifiers for us because we always have our smartphones with us. We’re in a different era now, and the companies and institutions need to catch up to that understanding of how security works now.

McCarty Carino: Is this something that could trigger [a Federal Trade Commission] investigation?

Hay Newman: So Facebook and the FTC entered into a landmark agreement in 2019 over a number of Facebook’s privacy woes and privacy missteps — $5 billion. But there’s an indemnification from June 12, 2019, which means if the activity happened before that, potentially there isn’t the same onus on Facebook. On the other hand, at the time that that investigation was going on, if Facebook knew that this activity was happening, they needed to report it during that time. So that could potentially be an issue. And if some or all of the activity happened after June 12, 2019, Facebook had an obligation to report it, and the FTC would investigate it for that reason. So I think there’s a potential either way, but certainly for the back half of 2019, there are potentially FTC ramifications. And also, people are talking about whether there are concerns [related to the European Union’s General Data Protection Regulation] because GDPR was certainly in full effect at this point.

This illustration picture, taken on January 12, 2020 shows Facebook social network logo reflected on a eye in Rennes, western France.
(Damien Meyer/Getty Images)

Related links: More insight from Meghan McCarty Carino

Facebook has said it won’t be notifying the half a billion users caught up in this leak. But Lily Hay Newman suggests in her Wired story that you can look it up yourself at a third-party website called Have I Been Pwned?

Like “owned,” with a P. Don’t ask me, it’s some gaming thing.

The website tracks data breaches and can tell you how many times and from where your phone number or email might have been shared.

Hay Newman also reports that this breach seemed to affect the earliest users of Facebook, among them U.S. Secretary of Transportation Pete Buttigieg, dozens of people who have worked for the Federal Trade Commission and Mark Zuckerberg himself.

I guess that’s what they call a self-own. Or is it pwn?

The future of this podcast starts with you.

Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.

As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.

Support “Marketplace Tech” in any amount today and become a partner in our mission.

The team

Molly Wood Host
Michael Lipkin Senior Producer
Stephanie Hughes Producer
Daniel Shin Producer
Jesús Alvarado Associate Producer