Hacker News new | past | comments | ask | show | jobs | submit login
Facebook does not plan to notify half-billion users affected by data leak (reuters.com)
345 points by challengly 10 days ago | hide | past | favorite | 93 comments

So after longing it out, today I had a look on haveibeenpwned, and it seems I am one of those whose data has leaked.

After re-reading all of the events of this breach, it seems that the exploit was fixed in Aug 2019 (as claimed by Facebook). I had deleted my account some 2 years prior to that.

Either these attackers have had access for over 2 years, or Facebook has not deleted my data, and likely everyone else's data either.

What can an individual, or perhaps everyone affected, do in this scenario?

Assuming that the data is just your phone number and name/email, is it not possible that this is just from friends who have allowed Facebook and/or Messenger to share contact info? Your original account data almost certainly would have been deleted/purged due to various regulatory requirements, but that doesn't necessarily stop your contact info from being shared again and making its way back into the system.

But then again, Occam's razor would suggest that FB never deleted the data in the first place.

By the way, data is not "making its way back" like some sort of salmon trying to get back to the source, it is forcefully harvested by FB.

Presenting a screen/dialog to the user at first login asking for permission to access contact data does not sound like "forcefully harvested". Users rarely understand the consequences of their decision, which is why I would love to see iOS and Android eliminate the option of wholesale contact access, but use of Facebook apps is not predicated upon receiving your contact data.

It does if your average user is so uneducated they freeze up and whack the next button until the screen with all those words on it goes away.

If someone signs a bad contract because they refuse to read and understand it, and just signs it anyways, they're still generally bound by the terms of the contract. iOS and Android both have pretty clear descriptions in their permissions dialog of what the app is asking for.

It's not a bad contract for that someone though. It's a bad contract for that someones friends.

Maybe that adjective is not quite right, "rapaciously" perhaps?

Check out the following twitter thread : https://twitter.com/carolecadwalla/status/137983433288654029...

Renowned hacker Inti De Ceukelaire informed facebook of this breach in 2017, but FB just sat on it for a year and did nothing, ultimately claiming it was scraped from publicly available data at the time.

So while we do not know and can only assume deleted data is merely indicated by a flag and not really deleted, this exploit does not include data from closed/deleted accounts.

FB doesn't allow user access to/control of/deletion of shadow account data, which is in violation of the GDPR.

My phone number is in haveibeenpowned. Maybe it's from another leak? I deleted my Facebook account years ago and it doesn't have my new number. WhatsApp does.

I only recently deleted my WhatsApp, so could very well be. Though, according to HIBP it's from the same leak that has recently become known, but who knows.

Yeah, same here, it's the Facebook leak. So why does it have my number? Maybe I activated it for something, changed the number, and forgot. Its not impossible with me.

haveibeenpwned pulls from multiple data leaks. So it is likely your data was leaked somewhere else and the company that got hacked simply never reported it. Happens all the time. Once your data has been leaked. There is nothing you can do about it. Your information will simply just float out there in the internet ether forever.

This is why it is so important for everyone to go pseudonymous online especially if you are doing ANYTHING that can be remotely viewed as controversial, like political speech. The reality is whether you like it or not, your personal information will be leaked.

I know these days everyone wants to be a social activist on social media today but just don't do it. It is not worth it if some nut job decides to go after you for whatever reason. It is very easy these days to find where people live, work, phone numbers etc by simply knowing their first name, last name and general location of where they live. Most people openly disclose this information.

i will automatically give less credence to an anonymous person. They are giving me nothing of themselves, so they expect nothing, and feel no obligation to present the truth. On the flipside, being anonymous, i don't take myself seriously enough. Yes, this has regrettably made me come close to trolling, i've worked on it, but i'm still not close to being fully genuine and i know that.

Yeah, can you imagine them having to tell Zuck his number got leaked. He's gonna be furious!

Source: https://www.androidauthority.com/mark-zuckerberg-signal-1215...

I guess his users can now call him directly to air grievances over data leaks.

Aren't they required to disclose this, at least to California residents, under California's data breach disclosure laws? Or was it not the type of PII covered under the law?

"Facebook, which has long been under scrutiny over how it handles user privacy, in 2019 reached a landmark settlement with the U.S. Federal Trade Commission over its investigation into allegations the company misused user data. [...]

The July 2019 FTC settlement requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident."

Seems like it.

In EU law too. Booking.com just got convicted half a million just for notifying TOO LATE (two weeks after the fact).

I assume they expect to claim it's not a fb leak in some convoluted way, otherwise I don't understand that move.

Oh wait, weren't there also shadow numbers in this ? Aka you had my number you uploaded it so it's in the leak even though I had no relation to them ? Might be why, they have no right to contact me to warn me

Yeah, but the b.com leak involved credit card data which changes everything in the eyes of regulators. Sadly this is not true for "mundane" data like phone numbers, email addresses, or even physical addresses.

In regards to GDPR, personally identifiable information is the main focus.

All 50 states have some form of data breach notification law, not just California: https://www.ncsl.org/research/telecommunications-and-informa...

Does the law apply here? https://about.fb.com/news/2021/04/facts-on-news-reports-abou... says the breach was in 2019. What was the CA law at that time?

They are absolutely required to report this to the data protection agencies in all European countries. As the other comment mentioned, missing the 72 hour deadline on this is enough to get a fine as Booking.com did.

I'm curious to see the total in GDPR fines from this for Facebook. Will probably take a year or two before we know.

At this point they must be like a deer in front of the flashlights, hoping the car will dodge them.

it's more like a bug, Facebook won't even notice couple of millions

GDPR is a gift to large corporations. Regulatory capture in return for a slap on the wrist. It also burdens startup competition and trains people to click "Allow Cookies" and "Accept the Terms of Service" as fast as possible.

GDPR is extremely similar to pre-existing privacy laws in some EU countries. It also applies to startups and large corporations equally, and in practice is more likely to be lenient towards startups making genuine mistakes while trying to obey the rules versus large corporations intentionally ignoring them.

The "Allow Cookies" and "Accept Terms of Service" click-throughs also barely meet any of the GDPR requirements and in the case of the latter don't necessarily constitute informed consent: EU courts have repeatedly ruled that a wall of text can not be used in software to hide "surprising" rules (e.g. that your WhatsApp account will be banned if you use a third-party client).

it really wasn't - unlike other similar laws it is written in terms of world wide revenue (not profit), not a fixed fine, so it's not as easy to simply treat violations as being "free".

The actual work involved is trivial if you minimize data collection, which is the whole point - you shouldn't collect anything you don't actually need and GDPR got rid of the "abusing user privacy is purely profitable" excuse.

Regulatory capture is an anti-piracy bill that requires scanning all uploads using technology that only a few companies have or that costs more than potential income of a business. That's why YouTube was generally pro-that bullshit EU "anti piracy" law.

GDPR fines are scaled on revenue to prevent for precisely this reason

Not happening because at best FTC can fine them. That is just cost of business to them these days. Its part of their move fast and break things philosophy.

Too big to follow laws?

Facebook today closed at a record high of 309, up from 299, on the first trading day after this leak hit the press. It has since increased to a higher record high (currently 312 with 10 minutes left)

Wall Street fueled by Jim Cramer's FAANG doesn't care about consumer privacy.

Because Wall Street realizes even consumers don't care about consumer privacy.

If Ashley Madison and Equifax walked away with barely a scratch from their catastrophic breaches, then this is almost nothing in comparison.

I think people do care, its just impossible for them to express how much they care. Like I want to do something about this data breach, what else can I do apart from remove myself from facebook (there is good evidence that that wouldn't help me either)? Its a monopolistic market and they are very good at hiding the risks. People don't accept random spam and data leaks out of not caring, but because even if they care the current business models will not care about their opinion.

So what? Failure to disclose is illegal many places for good reason, and the relevant authorities are the ones who need to be doing shit about this. No one expects consumers to regulate other areas, why tech?

I genuinely don't understand how Equifax is allowed to exist post-hack.

Wasn't this leak already 2 years old? Just because the media decided to pump it up this week doesn't mean it just happened.

I've also yet to see anything real come of these kinds of leaks.

Give that the data leak is 2+ years old I’m wondering why it’s getting so much attention in the media right now, just as FB hits record highs. The cynic inside me suspects that this is actually a ploy to manipulate the stock price, though I can’t tell who would benefit from it.

Because the data is now widely available to anyone and his dog

Priced in, as usual (not even meme-ing).

What's the maximum fine under GDPR? It's some percentage of global revenue, right?


This is disappointing. Admitting the mistake is crucial in the process of fixing the problem. This just shows that they have learned little after all the company has been through.

>This just shows that they have learned little after all the company has been through.

This is just yet another example of that. It's not like we didn't realize they don't care until this instance. It's hard wired in the DNA, and this is just more evidence of that.

That implies they see it as a problem that needs to be fixed. But what if they don't care? After all, their business is collecting and selling these data. It being copied by somebody looks bad, but advertisers probably won't do downloading user lists on darknet, so the damage to the main business is minimal. And people still on Facebook don't seem to be willing to punish Facebook for violating their privacy, so...

Admitting the mistake, not admitting the mistake publicly.

As others noted in the other thread (https://news.ycombinator.com/item?id=26736285), the correct action here would be a punitive fine by FTC or FCC for 1) the size of the leak and 2) that FB is refusing to notify impacted users.

Something to the tune of $30-50B, to also send a clear message to all other companies. In this case, FB appears to have sat idle since previous $5B fine for the Cambridge Analytica fiasco. So 10X that previous fine would seem appropriate.

Long term, holding the leaders and board of companies criminally liable for user PII and data leaks (similar to SOX compliance) might be the best solution. The reality, however, is that no such regulation will occur and companies like FB can continue to lackadaisically treat user privacy and data security.

how is this acceptable?

i'm glad I quit facebook long ago but this angers me for the people who dont stay up to date on security breaches.

Well this breach is an old breach from 2019. People should stay up to date with security breaches.

Wasnt there some hints that parts of the leaked PII are more recent?


why would we need to? it's all of the news, so the people have been notified. --Facebook

And they apparently also didn't plan on deleting my PII (phone number was in the leak), even after I permanently deleted my account at FB over 3 years ago.

I thought I had the 'right to be forgotten' because of the GDPR, as I'm a European citizen. Has there been any real enforcement of these laws aside from the relatively small fine here and there?

I've been blocking FB actively for the last few years, I can't even visit FB because of my /etc/hosts file setup. It seems quite impossible to get back some privacy online even though I try and take measures. Use Duckduckgo, Brave browser, VPN, no social media, etc. I was a happy person when GDPR first came through.

If you're in Europe you can file a complaint with your local data protection agency. They will definitely already have some investigation on Facebook so this just adds more to it.

Here is how you find that, by the way: https://edpb.europa.eu/about-edpb/board/members_en

I think after such data leak, it should be possible to ask company who enabled the leak, to put the matters as they were before the leak - that is buying you a new phone number, setting up a new name, new address and whatever else that was leaked. The new address should be in comparable standard to the old one.

The data was scraped years ago and just released now. Only the things you shared publicly already, such as your first and last name on Facebook, were "leaked", except for a few private phone numbers.

I've never had public profile information. Only visible for friends (and my phone number wasn't even visible there). How would my private phone number get into that dataset? That would suggest that they have more than just public data.

Your friends can (and almost certainly will) share their contact info (including your name/phone/email) with Facebook , Messenger, or Whatsapp, even if your account is deleted and doesn't exist.

If you use the internet your name and phone number is going to be out there eventually. There's not much you can do. Not saying things can't be better. But at this point in time, your name and number should be assumed not to be private.

So it wasn't too long ago that the news got head of the Facebook "Supreme Court" that is supposedly even above mr Zuckerberg. I wonder what would happen if you'd appeal to them about this blatant disregard of sovereign laws worldwide. I don't know a single country that does not have some law in place forcing the leaker to notify the user. Obviously barrely any country does it, and if so, Booking just got a laughable 400k fine in the Netherlands for not notifying in time (though they eventually did just too late). I'm sure Facebook will get away with it. One thing I've learned s that theirs barrely a better time to buy big tech stock when they've announced a data leak. Though others seem to have caught on with that sentiment as the stock has been rising.

Even if a country decided about doing something about it, would they risk Facebook blocking that country altogether? Facebook has so much money, pretty much any fine will be just a slap on the wrist. What else they can do without causing public to go mad? Capture Mark and make him do time?

Won't that get them in trouble in the EU? I had to check, but the GDPR was implemented in 2018, and the leak was in 2019.

It’s not clear which leak the data is from. From the articles I read there were two leaks that the data may have come from. One in 2018 and one in 2019.

In either case, it seems like they would have notified users (if at all) when they were alerted to the leak and fixed the vulnerability.. not 2-3 years later.

You can count on the people at Facebook to do the wrong thing

Doesn't this mean they will get fined out the arse by Europe under the GDPR?

Who's going to blink first though?

Good question.

It doesn't and they know that.

What is really strange about this data leak is what is missing in it. I see at least two countries that aren't there.

The leak contains 105 countries, so there's quite a bit more than 2 that are missing - more like a hundred.

Really? Which two?

Ukraine and Thailand are missing from the "533M records" dump.

Maybe they could save time by notifying the people who were -not- affected.

That’s fine. This has pushed me to close my last remaining account with them in the next 24 hours, so they won’t need to send me a breach notice after they’re sued for it.

Thanks Facebook admin for the encouragement to speed up my plans!

Sometimes I wonder if the data from the cameras on my Oculus Quest 2 is being sent to FB's servers and kept. I guess I'll never know.

It’s going over your wifi, right? To start, you could evaluate whether the upload bandwidth could fit a video signal.

I think there is no doubt it isn't uploading a raw video signal. But all kinds of things could be derived from that video and uploaded.

It's a powerful device with superb cameras & sensors, used to play user specific content, running totally unauditable code, connected to the Internet and requiring a real identity account to even start.

What could possibly go wrong.

I can’t wait to plug it into my brain stem!

If you enable hand tracking (without controllers), they explicitly notify that they are collecting data about your hands. Combine that with your arm length, hand size / shape, height and I bet you'd be pretty unique. If there aren't enough bits, data about "the way you move" or stand, general posture etc. would be more than enough to identify you I believe. A simple DNN can eat that data like breakfast. I don't care much but it is interesting nonetheless.

Better lower that bandwidth requirement estimate:


Yea.. felt like I sold my soul when I bought one and needed to create a fb account. But in death: unchained is so damn fun. I've always wondered if they operate oculus at a massive loss all so that they can collect a bunch of data. Does anyone know if the facebook info dump stuff shows what oculus data they collect?

Yes data is shared and kept. Now you know.

To be fair I don’t think I have ever been notified by any company when my data has been leaked and according to haveibeenpwned that has happened quite a few times.

I am not a lawyer, but I find myself wondering if they are binded to GDPR in this case as judging from online articles the actual “leak” itself may have happened prior to May 2018. It also maybe that the nature of the PII itself is not such that it needs to be reported to the users (no passwords, private messages etc...)

I have been notified many times by reputable firms that my data has been taken, even if it was just a password.

Most of the stuff that I appear on havibeenpwned for is some strange data brokerage that probably grabbed my data from another hacked brokerage, etc

Facebook is probably also not planning to pay out hefty fines for GDPR violations, but alas...

That's what I thought. GDPR was created mainly to spend tax payer money on thousands of meetings, lawyers, dinners, conferences and whatever else was possible just to tick few boxes, give people false sense of security and pat themselves on the back while salivating over buffed up bank accounts. For such a blatant disregard for the law, surely they should have been fined by now? Given that they can just exist like that it seems to me they are probably selling or supplying governments with information about citizens, so they may be above the law because of that.

A scrape is not a leak

Well, FB doesn't allow me to export my own contacts' details - email, phone number, etc - with it's data export, so no, this is a leak.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact