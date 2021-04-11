The biggest cybersecurity scandal of 2021 is actually not from 2021. This week the headlines of all the media reported that data from 533 million Facebook accounts (out of a total of 2.3 billion), had been exposed in a plain text file that anyone could access.

Facebook IDs, location, names, phone number and, in 2 million of these accounts, even email. A perfect menu so that with a database like this, dozens of breaches, identity theft or online scams can be carried out. Here we tell you how to know if your account was compromised, and you should take steps like changing your password or deleting your mobile number immediately.

However, as we have told you in Hypertext, this data leak did not actually appear in 2021. The data, as explained by Facebook very superficially, was extracted through scraping using its own API between 2018 and 2019. The bug that allowed this data to be extracted was fixed by Facebook in 2019. However, since then they have been around for sale, until now, in 2021, they have become available to everyone through a plain text file. Of the affected accounts, an estimated 11 million were in Spain and 13 in Mexico.

And the GDPR?

Doubts now loom over how the current legislation on Facebook will act in the face of the ruling. Mark Zuckerberg’s company has excused itself by saying that The massive leak occurred before April 2018, just before the European GDPR or GDPR came into effect. A lot of coincidence? For now, the Irish Data Protection Agency appears to be opening an investigation. Facebook so far has not suffered firm sanctions due to European privacy regulations, but it has reserved 77 million in its Irish subsidiary of WhatsApp for a previous matter of transfer of data to its servers in the United States, and has faced a millionaire sanction of 5,000 million also in North American territory.

Privacy analysts such as Glyn Moody are already speculating on how the action of the GDPR in this case can mark a before and after. In principle, a Facebook spokesman told Reuters this week that they do not have in mind to notify the European users affected, since according to them the breach occurred before the entry into force of the rule.

More than 1.5 billion data impacts in the history of Facebook

With this on the table, we wanted to review the long history of security breaches that Facebook has suffered in its 15-year history. At least, the ones that have been known.

In 2019 alone there were leaks that impacted 1.5 billion accounts, more than half of the total

Before starting the tour, two notes. First of all, in 2019 alone there were leaks that impacted 1.5 billion accounts, more than half. It is impossible to know what percentages of these – they were several episodes – affected the same accounts repeatedly, so it cannot be guaranteed that more than half of the Facebook accounts have been the victims of some leak; but yes that those users registered during 2019 have a 50% chance of having been affected to a greater or lesser extent.

The second point: it is important to differentiate between hacks and data breaches like these, which arise from security flaws in Facebook’s systems. Even Cambridge Analytica, the case of the most mediatic privacy attack in history and that left Facebook upset, has more of a security breach than any type of hack, since its promoters used holes left by the restriction of contacts and access to third parties that had configured the platform.

A review of the large (known) data leaks that Facebook has suffered

Photo by Brett Jordan

The beginnings: all for the first advertisers

With privacy still an unlikely concept in the practices of Facebook and any similar project, the Zuckerberg team launched in 2007 ‘Beacon’, a product designed to help advertisers better know their audience by tracking their movements. on other websites.

This feature violates the US Video Privacy Protection Act, and Facebook is forced to settle a $ 9.5 million class action lawsuit filed by affected users.

2009: “Publish as private”, Oops!

Facebook publishes information marked as private on user pages. An investigation by the Federal Trade Commission of the United States forces Facebook to apologize and promise better management and protection of personal data.

2013 – 6 million accounts exposed

In June 2013, Facebook discovered that a bug had been exposing the personal data of 6 million users for more than a year. Users’ phone numbers and email addresses were exposed, and anyone who knew at least one contact information or had some kind of connection to the person could access them.

The glitch reportedly started in 2012, but was not noticed until 2013. Facebook corrected the glitch and reportedly reported the leak to regulators and those affected before announcing it publicly.

May 2018 – 14 million users sharing their private data without knowing

Again, an internal Facebook bug made what its users supposedly thought they were posting or posting as private became public.

A system crash in May 2018 caused the normally private posts of 14 million users to be shared publicly without their knowledge or consent.

The bug was only active for five days, and Facebook quickly returned all posts to their privacy settings.

September 2018 – Between 50 and 90 million people affected by the login with Facebook

Shortly after the Cambridge Analytica scandal broke, Facebook suffered its second data breach. In September 2018, it was publicly announced that data from 50 to 90 million users had been exposed through a breach. Hackers or people who had access to that information derived from a security breach could see everything that was in a user’s profile. Facebook also confirmed that third-party sites that those users logged into with their Facebook accounts could also be affected. A full-blown domino effect.

Facebook began investigating a couple of weeks before the announcement, when it noticed unusually high spikes in access to user accounts. The situation turned out to be very complex and was based on three different platform glitches related to a Facebook feature that allows people to see how your profile looks the way another user sees it.

In response, Facebook logged out of 90 million users across all platforms and asked them to log back in and reset their passwords. The “View as” function was temporarily disabled.

2019, the horrible year for Facebook and its users

March 2019 – Another 600 million users exposed by passwords saved as a shopping list

Facebook’s first data breach of 2019 was huge. In March, cybersecurity expert Brian Krebs reported that Facebook stored hundreds of millions of user passwords in plain text files. Only employees could access these files, but that still meant that account passwords were accessible to more than 2,000 Facebook employees. Facebook did not disclose why or how users’ passwords had been stored in this way.

A month later, it was revealed that millions of Instagram users had also been affected; their passwords had also been stored in plain text. Facebook reiterated that the passwords had not been compromised or misused in any way. The total number of affected Facebook and Instagram users is still unknown (as Facebook has declined to comment), but is estimated to be at least 600 million, although the actual figure is likely much higher.

April 2019 – 540 million users exposed. The origin of the 2021 scandal

We come to the moment related to the current scandal. In April, hundreds of millions of Facebook user records were discovered to be on a public server. Researchers at the security firm UpGuard discovered the breach, and contacted the company that was hosting the server. This vulnerability is believed to be related to bulk data scrapping.

It is unknown exactly how long user logs were exposed, or if anyone managed to take advantage of the situation. The data was only made private after Facebook became aware of the situation.

September 2019 – 419 million users again on a public server

Something similar happened again just a few months later. Again, each record contained a user’s unique Facebook ID and the phone number listed on the account. In some cases, the full names, gender, and location of users also appeared.

Facebook was not the owner of the server, and it is unclear who it belonged to. We don’t know who got the information from Facebook’s systems or why, but only an employee or hacker could have that level of access. The server was retired, and it remains to be seen if anyone has been affected by this breach.

December 2019 – another 309 million accounts affected

More than 300 million phone numbers, names and identifications of Facebook users were left unprotected on the dark web for almost two weeks. Security expert Bob Diachenko, who discovered the breach, reported that it was the result of an illegal scraping operation or abuse of the Facebook API by hackers in Vietnam.

The estimate of those affected was originally 267 million. However, in March 2020 it was discovered that a second server containing another 42 million records was exposed by the same criminal group, bringing the total to 309 million. Again, it is unknown if anyone was affected by the breach, but it definitely put users at risk of spam and phishing attacks.

