What’s more, the tech giant is still refusing to do anything about the problem.
Facebook did not notify the more than 530 million users whose details were recently made public in a database. Facebook had originally obtained the leaked details through the misuse of a feature before 2019. To make matters worse, the company spokesman told Reuters news service that it does not currently have plans to notify.
Last week we already reported that phone numbers and other details from user profiles were available in a public database. The details leaked included user phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.
Facebook blames “malicious actors”
Facebook responded in a blog post on Tuesday that “malicious actors” had obtained the data prior to September 2019 by “scraping” profiles using a vulnerability in the platform’s tool for synching contacts.
The Facebook spokesman said the company was not sure of which users they needed to notify. He said it also took into account that users could not fix the issue and that the data was publicly available in deciding not to notify users. Facebook has said it plugged the hole after identifying the problem at the time.
Latest in a series of privacy fails for the tech giant
The scraped information did not include financial information, health information or passwords, Facebook said. Nonetheless, it is obvious that the collated data could provide valuable information for hackers or other bad actors.
Facebook has long been under scrutiny over how it handles user privacy. In 2019 the company reached a huge settlement with the U.S. Federal Trade Commission over allegations the company misused user data.
In Europe, Ireland’s Data Protection Commission said on Tuesday it had contacted the company about the data leak. The Irish agency are the European Union’s lead regulator for Facebook. They said they received “no proactive communication from Facebook” about the problem. However, they added that Facebook had since contacted them.
One of the conditions of the July 2019 FTC settlement in the U.S. requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident.
The Facebook spokesman declined to comment on the company’s conversations with regulators but said it was in contact to answer their questions.