What you need to know about the Facebook data leak


The news: The personal data of 533 million Facebook users in more than 106 countries were freely available online last weekend. The database uncovered by security researcher Alon Gal includes phone numbers, email addresses, hometowns, full names and dates of birth. Initially, Facebook claimed that the data breach had been reported back in 2019 and that it had fixed the vulnerability that it caused in August. In fact, however, Facebook does not appear to have properly disclosed the breach at this point. The company finally confirmed it on Tuesday April 6th in a blog post by Product Management Director Mike Clark.

How it happened: In the blog post, Clark said that Facebook believes that the data of “malicious actors” has been removed from people’s profiles using the contact importer tool that uses people’s contact lists to make friends on Facebook. It’s not exactly clear when the data was scraped, but Facebook says it was “before September 2019”. A complicating factor is that cyber criminals often combine different data sets and sell them in different blocks. Facebook has suffered a wide variety of data breaches over the years (most notably the Cambridge Analytica scandal).

Why timing matters: The General Data Protection Regulation came into force in May 2018 in the countries of the European Union. If this breach occurred afterward, Facebook could be held liable for fines and enforcement actions for failing to disclose the breach to relevant regulators as GDPR sets within 72 hours. The Irish Data Protection Commission is investigating the breach. In the US, Facebook signed a contract two years ago that gave it immunity from Federal Trade Commission fines for violations prior to June 2019. If the data is stolen afterwards, action can be taken there too.

To see if you are affected: Although no passwords were leaked, scammers were still able to use the information for spam emails or robocalls. If you want to see if you are at risk, go to and check to see if your email address or phone number has been breached.


Steven Gregory