Data security experts on Wednesday cast doubt on Facebook’s claim that the data of a half a billion users discovered online was public user profile information.
After 533 million Facebook user records including phone numbers, Facebook IDs, full names and birthdates were discovered over the weekend, the social media company defended itself in a statement overnight, suggesting that the information in the database that is circulating online was public.
“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019. Scraping is a common tactic that often relies on automated software to lift public information from the internet,” the statement reads.
But data security experts said the social network’s defense is evasive.
“Facebook’s statement that this information is public is misleading, as this breach also includes phone numbers that were not visible on people’s profile,” said Inti De Ceukelaire, a Belgian ethical hacker.
Independent cybersecurity researcher Lukasz Olejnik also questioned Facebook’s line.
“Is it really public data? For example, the phone numbers at least in many cases weren’t, and come from Facebook,” he said.
The leak centers around a contact importer feature, which meant that users could still be discoverable using their phone numbers, even if the number wasn’t publicly listed on their profile — an issue De Ceukelaire raised as early as 2017.
Facebook blamed abuse of this matching function for the leak, saying it updated the feature in 2019 after it discovered that malicious actors had been abusing a glitch in the feature’s software to match reams of phone numbers to Facebook users to build the database.
But Facebook’s suggestion that phone numbers are public because they could be used to match users, even when the phone numbers in question weren’t publicly listed, has been called into question.
Former U.S. Federal Trade Commission official Ashkan Soltani tweeted that of his two phone numbers that appeared in the leak, one was only visible to him, while the other was a “more sensitive” number used for account recovery and resetting passwords.
Michael Veale, a British computer scientist, reported that his number appeared in the leak even though all of his privacy settings were on max.
“Even if users tick a box saying friends can find them using their phone number, it is not the job of those same users to imagine how that system could be misused at a large scale to make those phone numbers public before making that choice. That’s the job of Facebook,” Veale said.
“If Facebook can’t make such a system secure, they should not have implemented it.”