Facebook data breaches: A detailed look at the most prominent data leaks

A timeline of Facebook data breaches

Facebook has experienced several data breaches over the years, each one exposing its security vulnerabilities and eroding user trust. Let’s explore the scope and impact of those data breaches, starting from the most recent.

Facebook data breaches in 2024

Two significant Facebook data leaks have already occurred in 2024:

• The most recent Facebook data breach took place in late February, exposing millions of two-factor authentication (2FA) codes used by Facebook, Google, and other platforms. A vulnerability in the systems of YX International, a company that routes text messages, allegedly caused the breach. This incident allowed unauthorized access to 2FA codes and password recovery details (Tech.co, 2024).
• In October 2023, a threat actor named “algoatson” allegedly stole the database from a contractor responsible for managing Facebook’s cloud services. However, the database was only made public in February 2024, leaking 200,000 user records from Facebook Marketplace. This Facebook data leak exposed users’ personal information, including phone numbers and email addresses, on a hacker forum (HackRead, 2024).

Facebook data breach in 2023

In 2023, Facebook did not report any major data leaks, but it faced significant regulatory action:

• In May 2023, the Irish Data Protection Commission (DPC) fined Meta (Facebook’s parent company) $1.3 billion — the largest GDPR fine ever — for transferring user personal data to the US and violating GDPR regulations. The European Data Protection Board required Meta to halt future data transfers to the US (EDPB, 2023).

Facebook data breaches in 2022

In 2022, Facebook faced two significant data-related issues:

• In November 2022, the DPC fined Meta $277 million for a massive data breach that impacted around 500 million users. The incident involved data scraped from Facebook being posted on a hacker forum in 2019 (DPC, 2022).
• In October 2022, Meta’s security team discovered over 400 harmful apps on Google Play and the Apple App Store. These apps were disguised as popular utilities, such as photo editors, games, VPN services, and business tools. When users downloaded these apps and logged in with their Facebook credentials, the apps stole their login details. (Meta, 2022).

Facebook data breach in 2021

The most significant Facebook data breach of 2021 occurred in April, resulting from a security vulnerability that Facebook patched in 2019. The accident exposed such details as the names, phone numbers, Facebook IDs, emails, relationship statuses, and locations of 533 million Facebook users from 106 countries. This data was found on a hacking forum, where it could be downloaded for free.

Egypt (44.8 million users), Tunisia (39.5 million), Italy (35.7 million), and the US (32.3 million) were the countries most affected.

Facebook data breaches in 2020

The most noteworthy Facebook scandal of 2020 took place in June, when Facebook engineers discovered a flaw that allowed third-party developers to access users’ personal data even after the users had been inactive for more than 90 days. Usually, after 90 days of inactivity, developers should no longer receive updates on non-public information such as email addresses and birthdates.

However, around 5,000 developers continued to access this data due to this flaw. Facebook quickly addressed the issue and introduced stricter data-sharing policies to prevent similar problems in the future​ (HotHardware, 2020).

Facebook data breaches in 2019

One of the most significant Facebook data leaks ever occurred in April, when more than 540 million user records were exposed. The data was compromised after being shared with third-party apps that used unsecured servers. Two third-party Facebook app developers, Mexico-based Cultura Colectiva and L.A.-based At The Pool, stored about half a billion Facebook user data entries on unsecured Amazon Web Services (AWS) servers.

After the Facebook scandal, it took Cultura Colectiva almost three months to secure its users’ data. At The Pool’s data was secured more quickly, but this may have simply been a stroke of good fortune. Their data set was taken offline during the cybersecurity company UpGuard’s investigation, before they sent any notification emails. However, the data had been left unsecured for about five years prior to that point.

However, does Facebook use AWS today? Interestingly, as of 2024, Facebook continues to use AWS as a key cloud provider. Moreover, since the incident, Facebook and AWS have deepened their cooperation to support research, development, and third-party collaborations, leveraging AWS’s infrastructure for improved security and scalability.

Several other important Facebook data breaches happened that year:

• In April, it came out that Facebook uploaded 1.5 million users’ email contacts without their permission. New users were prompted to verify their email addresses by entering their email passwords, which automatically imported their contacts’ email addresses (The Guardian, 2019).
• In another incident in September, 419 million Facebook user records were exposed on a public server. The data included Facebook users’ IDs and phone numbers, making them vulnerable to phishing and spam attacks. Allegedly, the exposure occurred because the server where the data was stored was not secured with a password (Forbes, 2019).
• In December, over 267 million Facebook user records were found on the dark web. Hackers potentially stole the data using a tool that allows developers to access back-end information. Security researcher Bob Diachenko reported that the database was likely protected and private at one time, but was set to public and made readily available to anyone for about two weeks. The data included names, Facebook IDs, and phone numbers (Forbes, 2019).

Facebook data breaches in 2018

Arguably the biggest Facebook privacy scandal ever involved exposing data on 87 million users to the political consulting firm Cambridge Analytica. This UK-based data firm, employed by Donald Trump’s presidential campaign in 2016, harvested millions of US voter Facebook profiles and used them to build powerful software for predicting and shaping choices at the ballot box. Christopher Wylie, a former Cambridge Analytica employee, blew the whistle.

How did this Facebook data breach happen? Wylie explained that Cambridge Analytica collected a vast database using an app developed by Cambridge academic Aleksandr Kogan. Kogan’s company, Global Science Research, collaborated with Cambridge Analytica to pay Facebook users to take a personality test and agree to have their data collected for academic use.

According to Wylie, the company then used the information, including Facebook users’ friends, “likes,” and hometowns, to create highly personalized ads to micro-target American voters.

Astonishingly, Facebook’s terms of service at the time allowed apps to collect data not only from users who consented to it but also from their friends who had no idea about it. Kogan also misrepresented the purpose of the app. Users who thought they were taking a simple online quiz were actually handing over a large amount of personal data that was ultimately used for political targeting.

Allegedly, Facebook knew that Cambridge Analytica was misusing user data as early as 2015. However, the company refused to acknowledge the issue and only took action once media coverage intensified in March 2018.

Several other Facebook data breaches occurred that year:

• Facebook claims to give users control over who can see their posts and profiles. Usually, users can make posts visible only to specific individuals or friends. However, in May 2018, a glitch caused 14 million users’ private posts to be shared publicly despite their intended privacy settings (Meta, 2018).
• Still recovering from the Cambridge Analytica scandal, Facebook faced another data breach in September 2018. Attackers exploited a flaw in the “View as” feature, allowing them to access user data and view complete profiles. This flaw let attackers steal access tokens, enabling them to see the private information of almost 50 million Facebook accounts (Threat Post, 2018)

Older Facebook data breaches

Some Facebook data breaches have now been almost lost to time:

• Facebook’s first major privacy issue involved the launch of an advertising program called Beacon. Beacon tracked user purchases on other sites and posted about them on Facebook, often without user consent. After public outcry, Facebook added an opt-out option for Beacon (Forbes, 2007)
• In May 2010, the Wall Street Journal revealed that Facebook had been sharing user data with advertisers without their consent. This so-called “privacy loophole” included details like names, ages, and hometowns. Despite the outcry, Facebook argued that this information was not personally identifiable (WSJ, 2010)

How to check if your data was leaked

You do not need to scour hacking forums to discover if your personal information was leaked. Head over to the Have I Been Pwned website, operated by cybersecurity expert Troy Hunt, and check if you have been pwned. Simply enter your phone number or email address, and the website will instantly show if your details were exposed in any verified data breach.

Another way to check if your data has been leaked is to use Dark Web Monitor. This tool, included with a NordVPN subscription, continuously scans dark web forums and sites for leaks linked to your NordVPN email address. If it finds your email on a dark web page, it will immediately alert you. When there’s nothing to report, it will quietly run in the background.

What can somebody do with your personal information?

Knowing your phone number, email address, and Facebook ID is enough to set up various cyberattacks and scams:

• Smishing. Hackers can send you text messages with malicious links to infect your device with malware and steal your credit card information.
• Phishing. Similar to smishing, phishing involves fake emails designed to look like they came from reputable organizations, such as a bank or government agency.
• Identity theft. Criminals can impersonate you to trick your friends or co-workers into “loaning” them money. This is a typical Facebook scam. They can also contact service providers pretending to be you and try to exploit them.
• Vishing. If someone claiming to be from your tax agency or internet provider calls and asks for sensitive information, it might be a vishing attempt. Perpetrators can also pretend to be someone you know to manipulate you into giving away passwords.

What can you do to stay safe?

If you discover that your personal details have been exposed in a Facebook data leak, here are some steps you can take to protect yourself:

• Expect attention from criminals. From now on, be skeptical of every call, SMS, or email. If something seems suspicious, don’t take any risks — ignore the caller and their requests.
• Change your passwords. If your sensitive data might be at risk, change your passwords. This applies not only to your Facebook account but also to other services where you might have used the same email address for registration. Use a password manager like NordPass to create strong and unique passwords and store them securely.
• Enable two-factor authentication. With multi-factor authentication, you need to verify your identity via SMS, token, or app after typing your password. This improves your security and reduces the risk of having your account stolen.
• Don’t overshare on Facebook. Information like bios, relationship statuses, and occupations can end up in leaked databases. While this information might seem harmless, it can be used in social engineering attacks. See what Facebook knows about you and remove any sensitive information that can get you in trouble.

FAQ

How much did the largest Facebook data breach cost?

The largest Facebook data breach, related to the Cambridge Analytica scandal, cost the social media giant $5.825 billion in total. Facebook received a $5 billion fine from the Federal Trade Commission due to privacy violations and misleading users about data misuse. Additionally, Facebook paid $100 million to the Securities and Exchange Commission for misleading investors about these risks. Finally, Meta also agreed to pay $725 million to settle a class-action lawsuit.

What caused the 2019 Facebook data breach?

In a public statement, the company admitted that the Facebook data leak affecting over 500 million users was caused by a vulnerability in the “contact importer” feature. This feature, which helps users find friends by uploading their contact lists, was exploited by attackers to scrape public profile data. This flaw allowed malicious actors to query Facebook’s system with large sets of phone numbers, retrieving the associated public information for each one.

Can I sue Facebook for a data breach?

Data breaches should be reported by service providers according to laws and regulations. If you want to sue Facebook for a data breach, follow the laws in your area and consider consulting a legal expert for guidance.