Facebook attributes 533 million users' data leak to "scraping" not hacking

Facebook has now released a public statement clarifying the cause of and addressing some of the concerns related to the recent data leak.

As reported last week, information of about 533 million Facebook profiles surfaced on a hacker forum.

From the Facebook data samples seen by BleepingComputer, almost every user record had a mobile phone number, a Facebook ID, a name, and the member's gender associated with it.

The company states that the information exposed was not obtained from the hacking of an unsecured system but rather scraped from public profiles, prior to September 2019.

Data leak attributed to web scraping

Facebook has shed some light on the recent data leak comprising 533 million Facebook user profiles, data from which was posted on a hacker forum last week.

In a public statement released a few hours ago, the company states that the leak resulted from bulk scraping of profiles using a large set of phone numbers linked to these profiles, rather than from hacking of the platform:

"This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services."

"As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists," said Mike Clark, Product Management Director at Facebook in a statement.

Soon enough, after reports of data leak emerged, an EU data regulator, the Data Protection Commission (DPC) of Ireland began investigating the incident.

When details on this data leak had initially disclosed, a Facebook's spokesperson was quick to declare this as old news related to an issue the company had already remedied:

This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.

— Liz Bourgeois (@Liz_Shepherd) April 3, 2021

Facebook believes that malicious actors had scraped the leaked data in question from people's Facebook profiles by abusing the "contact importer" feature back in September 2019. 

"This feature was designed to help people easily find their friends to connect with on our services using their contact lists."

"When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer... to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users," said the company.

Prior to these changes having been implemented, Facebook's endpoints could be queried by anyone to obtain a limited set of public data from user profiles.

But, this information did not include financial information, health information, or passwords, the company has clarified.

Not all experts happy with the response

While Facebook attributes this data leak to web scraping, this usually involves collecting public information from websites.

In this case, attackers used a weakness in the Facebook 'Contact Importer' feature to mass query private phone numbers and then scrape associated public information that was returned by the tool.

This allowed the threat actors to create a massive list of Facebook users, including their phone numbers and scraped public information, by mass querying phone numbers over and over.

Facebook's scapegoating of the data leak to web scraping has not sat well with everyone in the security community.

Infosec blogger John Opdenakker called the company's response "pathetic."

“Scraping data using features meant to help people violates our terms.”

Thou shalt not scrape data from Facebook, thou naughty attacker!

This post is just pathetic. https://t.co/YKSdGYavKe

— John Opdenakker (@j_opdenakker) April 7, 2021

Security expert Troy Hunt, who is also the creator of Have I Been Pwned, also expressed his thoughts on the matter:

Statement from Facebook on this incident: “Scraping data using features meant to help people violates our terms”. Well that fixes that! https://t.co/YJt6Rn2TRq

— Troy Hunt (@troyhunt) April 6, 2021

Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, who had first brought the data leak to light referred to the incident itself as an "absolute negligence" of the users' data.

Facebook users can search data breach monitoring services like Have I Been Zucked? and Have I Been Pwned stepped up by their Facebook email address or linked phone number to find out if their data was impacted by this leak.