Huge Facebook leak that contains information about 500 million people came from abuse of contacts tool, company says

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Facebook says that a vast trove of personal information, uploaded freely to the internet, was harvested as part of a feature gone wrong.

The data was not stolen in a hack but instead through malicious users of its “contact importer”, it said. Though that feature was intended to allow people to upload their contacts from their phone to Facebook, and find people they might know, malicious actors were able to use it to scrape the personal information of people who were already on the platform.

That happened before September 2019, Facebook said in a blog post, and the bug that made it possible has now been fixed. But over the weekend it became clear that the data had become availably publicly online, vastly increasing the risk that anyone involved in it might face.

That includes 535 million accounts, which belong to people including chief executive Mark Zuckerberg. Online tools allow anyone to check if their information – including their phone number – is part of the leak.

Facebook’s explanation for the data explains why some of that data was initially hard to understand, and it had taken longer than usual for researchers to uncover and explain its full size. The data was not stolen from Facebook directly, but instead “scraped”, using automated software to gather information that had been intentionally or accidentally made public.

Read more:

“This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services,” Facebook said in a blog post. “As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists.”

It said that the information “did not include financial information, health information or passwords”.

Facebook said that it was “working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible. While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work”.

It also advised people to check their privacy settings, to ensure that information is locked down and can’t be scraped. It also advised users to turn on two-factor authentication, which adds extra checks when people log in, and should help protect against hacks.