After re-reading all of the events of this breach, it seems that the exploit was fixed in Aug 2019 (as claimed by Facebook). I had deleted my account some 2 years prior to that.
Either these attackers have had access for over 2 years, or Facebook has not deleted my data, and likely everyone else's data either.
What can an individual, or perhaps everyone affected, do in this scenario?
By the way, data is not "making its way back" like some sort of salmon trying to get back to the source, it is forcefully harvested by FB.
Renowned hacker Inti De Ceukelaire informed facebook of this breach in 2017, but FB just sat on it for a year and did nothing, ultimately claiming it was scraped from publicly available data at the time.
So while we do not know and can only assume deleted data is merely indicated by a flag and not really deleted, this exploit does not include data from closed/deleted accounts.
FB doesn't allow user access to/control of/deletion of shadow account data, which is in violation of the GDPR.
This is why it is so important for everyone to go pseudonymous online especially if you are doing ANYTHING that can be remotely viewed as controversial, like political speech. The reality is whether you like it or not, your personal information will be leaked.
I know these days everyone wants to be a social activist on social media today but just don't do it. It is not worth it if some nut job decides to go after you for whatever reason. It is very easy these days to find where people live, work, phone numbers etc by simply knowing their first name, last name and general location of where they live. Most people openly disclose this information.
The July 2019 FTC settlement requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident."
Seems like it.
I assume they expect to claim it's not a fb leak in some convoluted way, otherwise I don't understand that move.
Oh wait, weren't there also shadow numbers in this ? Aka you had my number you uploaded it so it's in the leak even though I had no relation to them ? Might be why, they have no right to contact me to warn me
I'm curious to see the total in GDPR fines from this for Facebook. Will probably take a year or two before we know.
The "Allow Cookies" and "Accept Terms of Service" click-throughs also barely meet any of the GDPR requirements and in the case of the latter don't necessarily constitute informed consent: EU courts have repeatedly ruled that a wall of text can not be used in software to hide "surprising" rules (e.g. that your WhatsApp account will be banned if you use a third-party client).
The actual work involved is trivial if you minimize data collection, which is the whole point - you shouldn't collect anything you don't actually need and GDPR got rid of the "abusing user privacy is purely profitable" excuse.
Regulatory capture is an anti-piracy bill that requires scanning all uploads using technology that only a few companies have or that costs more than potential income of a business. That's why YouTube was generally pro-that bullshit EU "anti piracy" law.
If Ashley Madison and Equifax walked away with barely a scratch from their catastrophic breaches, then this is almost nothing in comparison.
I've also yet to see anything real come of these kinds of leaks.
This is just yet another example of that. It's not like we didn't realize they don't care until this instance. It's hard wired in the DNA, and this is just more evidence of that.
Something to the tune of $30-50B, to also send a clear message to all other companies. In this case, FB appears to have sat idle since previous $5B fine for the Cambridge Analytica fiasco. So 10X that previous fine would seem appropriate.
Long term, holding the leaders and board of companies criminally liable for user PII and data leaks (similar to SOX compliance) might be the best solution. The reality, however, is that no such regulation will occur and companies like FB can continue to lackadaisically treat user privacy and data security.
i'm glad I quit facebook long ago but this angers me for the people who dont stay up to date on security breaches.
I thought I had the 'right to be forgotten' because of the GDPR, as I'm a European citizen. Has there been any real enforcement of these laws aside from the relatively small fine here and there?
I've been blocking FB actively for the last few years, I can't even visit FB because of my /etc/hosts file setup. It seems quite impossible to get back some privacy online even though I try and take measures. Use Duckduckgo, Brave browser, VPN, no social media, etc. I was a happy person when GDPR first came through.
Thanks Facebook admin for the encouragement to speed up my plans!
What could possibly go wrong.
I am not a lawyer, but I find myself wondering if they are binded to GDPR in this case as judging from online articles the actual “leak” itself may have happened prior to May 2018. It also maybe that the nature of the PII itself is not such that it needs to be reported to the users (no passwords, private messages etc...)
Most of the stuff that I appear on havibeenpwned for is some strange data brokerage that probably grabbed my data from another hacked brokerage, etc