So after longing it out, today I had a look on haveibeenpwned, and it seems I am one of those whose data has leaked.
After re-reading all of the events of this breach, it seems that the exploit was fixed in Aug 2019 (as claimed by Facebook). I had deleted my account some 2 years prior to that.
Either these attackers have had access for over 2 years, or Facebook has not deleted my data, and likely everyone else's data either.
What can an individual, or perhaps everyone affected, do in this scenario?
Assuming that the data is just your phone number and name/email, is it not possible that this is just from friends who have allowed Facebook and/or Messenger to share contact info? Your original account data almost certainly would have been deleted/purged due to various regulatory requirements, but that doesn't necessarily stop your contact info from being shared again and making its way back into the system.
Renowned hacker Inti De Ceukelaire informed facebook of this breach in 2017, but FB just sat on it for a year and did nothing, ultimately claiming it was scraped from publicly available data at the time.
So while we do not know and can only assume deleted data is merely indicated by a flag and not really deleted, this exploit does not include data from closed/deleted accounts.
FB doesn't allow user access to/control of/deletion of shadow account data, which is in violation of the GDPR.
My phone number is in haveibeenpowned. Maybe it's from another leak? I deleted my Facebook account years ago and it doesn't have my new number. WhatsApp does.
haveibeenpwned pulls from multiple data leaks. So it is likely your data was leaked somewhere else and the company that got hacked simply never reported it. Happens all the time. Once your data has been leaked. There is nothing you can do about it. Your information will simply just float out there in the internet ether forever.
This is why it is so important for everyone to go pseudonymous online especially if you are doing ANYTHING that can be remotely viewed as controversial, like political speech. The reality is whether you like it or not, your personal information will be leaked.
I know these days everyone wants to be a social activist on social media today but just don't do it. It is not worth it if some nut job decides to go after you for whatever reason. It is very easy these days to find where people live, work, phone numbers etc by simply knowing their first name, last name and general location of where they live. Most people openly disclose this information.
Aren't they required to disclose this, at least to California residents, under California's data breach disclosure laws? Or was it not the type of PII covered under the law?
"Facebook, which has long been under scrutiny over how it handles user privacy, in 2019 reached a landmark settlement with the U.S. Federal Trade Commission over its investigation into allegations the company misused user data. [...]
The July 2019 FTC settlement requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident."
In EU law too. Booking.com just got convicted half a million just for notifying TOO LATE (two weeks after the fact).
I assume they expect to claim it's not a fb leak in some convoluted way, otherwise I don't understand that move.
Oh wait, weren't there also shadow numbers in this ? Aka you had my number you uploaded it so it's in the leak even though I had no relation to them ? Might be why, they have no right to contact me to warn me
Facebook today closed at a record high of 309, up from 299, on the first trading day after this leak hit the press. It has since increased to a higher record high (currently 312 with 10 minutes left)
Give that the data leak is 2+ years old I’m wondering why it’s getting so much attention in the media right now, just as FB hits record highs. The cynic inside me suspects that this is actually a ploy to manipulate the stock price, though I can’t tell who would benefit from it.
As others noted in the other thread (https://news.ycombinator.com/item?id=26736285), the correct action here would be a punitive fine by FTC or FCC for 1) the size of the leak and 2) that FB is refusing to notify impacted users.
Something to the tune of $30-50B, to also send a clear message to all other companies. In this case, FB appears to have sat idle since previous $5B fine for the Cambridge Analytica fiasco. So 10X that previous fine would seem appropriate.
Long term, holding the leaders and board of companies criminally liable for user PII and data leaks (similar to SOX compliance) might be the best solution. The reality, however, is that no such regulation will occur and companies like FB can continue to lackadaisically treat user privacy and data security.
This is disappointing. Admitting the mistake is crucial in the process of fixing the problem. This just shows that they have learned little after all the company has been through.
>This just shows that they have learned little after all the company has been through.
This is just yet another example of that. It's not like we didn't realize they don't care until this instance. It's hard wired in the DNA, and this is just more evidence of that.
That implies they see it as a problem that needs to be fixed. But what if they don't care? After all, their business is collecting and selling these data. It being copied by somebody looks bad, but advertisers probably won't do downloading user lists on darknet, so the damage to the main business is minimal. And people still on Facebook don't seem to be willing to punish Facebook for violating their privacy, so...
And they apparently also didn't plan on deleting my PII (phone number was in the leak), even after I permanently deleted my account at FB over 3 years ago.
I thought I had the 'right to be forgotten' because of the GDPR, as I'm a European citizen. Has there been any real enforcement of these laws aside from the relatively small fine here and there?
I've been blocking FB actively for the last few years, I can't even visit FB because of my /etc/hosts file setup. It seems quite impossible to get back some privacy online even though I try and take measures. Use Duckduckgo, Brave browser, VPN, no social media, etc. I was a happy person when GDPR first came through.
If you're in Europe you can file a complaint with your local data protection agency. They will definitely already have some investigation on Facebook so this just adds more to it.
I think after such data leak, it should be possible to ask company who enabled the leak, to put the matters as they were before the leak - that is buying you a new phone number, setting up a new name, new address and whatever else that was leaked. The new address should be in comparable standard to the old one.
The data was scraped years ago and just released now. Only the things you shared publicly already, such as your first and last name on Facebook, were "leaked", except for a few private phone numbers.
If you use the internet your name and phone number is going to be out there eventually. There's not much you can do. Not saying things can't be better. But at this point in time, your name and number should be assumed not to be private.
So it wasn't too long ago that the news got head of the Facebook "Supreme Court" that is supposedly even above mr Zuckerberg. I wonder what would happen if you'd appeal to them about this blatant disregard of sovereign laws worldwide. I don't know a single country that does not have some law in place forcing the leaker to notify the user. Obviously barrely any country does it, and if so, Booking just got a laughable 400k fine in the Netherlands for not notifying in time (though they eventually did just too late). I'm sure Facebook will get away with it. One thing I've learned s that theirs barrely a better time to buy big tech stock when they've announced a data leak. Though others seem to have caught on with that sentiment as the stock has been rising.
Even if a country decided about doing something about it, would they risk Facebook blocking that country altogether? Facebook has so much money, pretty much any fine will be just a slap on the wrist. What else they can do without causing public to go mad?
Capture Mark and make him do time?
It’s not clear which leak the data is from. From the articles I read there were two leaks that the data may have come from. One in 2018 and one in 2019.
That’s fine. This has pushed me to close my last remaining account with them in the next 24 hours, so they won’t need to send me a breach notice after they’re sued for it.
Thanks Facebook admin for the encouragement to speed up my plans!
Yea.. felt like I sold my soul when I bought one and needed to create a fb account. But in death: unchained is so damn fun. I've always wondered if they operate oculus at a massive loss all so that they can collect a bunch of data. Does anyone know if the facebook info dump stuff shows what oculus data they collect?
To be fair I don’t think I have ever been notified by any company when my data has been leaked and according to haveibeenpwned that has happened quite a few times.
I am not a lawyer, but I find myself wondering if they are binded to GDPR in this case as judging from online articles the actual “leak” itself may have happened prior to May 2018. It also maybe that the nature of the PII itself is not such that it needs to be reported to the users (no passwords, private messages etc...)
[+] [-] bassdropvroom|5 years ago|reply
After re-reading all of the events of this breach, it seems that the exploit was fixed in Aug 2019 (as claimed by Facebook). I had deleted my account some 2 years prior to that.
Either these attackers have had access for over 2 years, or Facebook has not deleted my data, and likely everyone else's data either.
What can an individual, or perhaps everyone affected, do in this scenario?
[+] [-] nuclear_eclipse|5 years ago|reply
[+] [-] pieter_mj|5 years ago|reply
Renowned hacker Inti De Ceukelaire informed facebook of this breach in 2017, but FB just sat on it for a year and did nothing, ultimately claiming it was scraped from publicly available data at the time.
So while we do not know and can only assume deleted data is merely indicated by a flag and not really deleted, this exploit does not include data from closed/deleted accounts.
FB doesn't allow user access to/control of/deletion of shadow account data, which is in violation of the GDPR.
[+] [-] eloff|5 years ago|reply
[+] [-] HNfriend234|5 years ago|reply
This is why it is so important for everyone to go pseudonymous online especially if you are doing ANYTHING that can be remotely viewed as controversial, like political speech. The reality is whether you like it or not, your personal information will be leaked.
I know these days everyone wants to be a social activist on social media today but just don't do it. It is not worth it if some nut job decides to go after you for whatever reason. It is very easy these days to find where people live, work, phone numbers etc by simply knowing their first name, last name and general location of where they live. Most people openly disclose this information.
[+] [-] amacalac|5 years ago|reply
Source: https://www.androidauthority.com/mark-zuckerberg-signal-1215...
[+] [-] imoverclocked|5 years ago|reply
[+] [-] Johnny555|5 years ago|reply
[+] [-] bostonsre|5 years ago|reply
The July 2019 FTC settlement requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident."
Seems like it.
[+] [-] nolok|5 years ago|reply
I assume they expect to claim it's not a fb leak in some convoluted way, otherwise I don't understand that move.
Oh wait, weren't there also shadow numbers in this ? Aka you had my number you uploaded it so it's in the leak even though I had no relation to them ? Might be why, they have no right to contact me to warn me
[+] [-] dpifke|5 years ago|reply
[+] [-] iso1631|5 years ago|reply
[+] [-] 1-6|5 years ago|reply
[+] [-] blackearl|5 years ago|reply
I've also yet to see anything real come of these kinds of leaks.
[+] [-] omnimike|5 years ago|reply
[+] [-] grenoire|5 years ago|reply
[+] [-] m12k|5 years ago|reply
[+] [-] paulpan|5 years ago|reply
Something to the tune of $30-50B, to also send a clear message to all other companies. In this case, FB appears to have sat idle since previous $5B fine for the Cambridge Analytica fiasco. So 10X that previous fine would seem appropriate.
Long term, holding the leaders and board of companies criminally liable for user PII and data leaks (similar to SOX compliance) might be the best solution. The reality, however, is that no such regulation will occur and companies like FB can continue to lackadaisically treat user privacy and data security.
[+] [-] adamsvystun|5 years ago|reply
[+] [-] dylan604|5 years ago|reply
This is just yet another example of that. It's not like we didn't realize they don't care until this instance. It's hard wired in the DNA, and this is just more evidence of that.
[+] [-] smsm42|5 years ago|reply
[+] [-] MattGaiser|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] sigmonsays|5 years ago|reply
i'm glad I quit facebook long ago but this angers me for the people who dont stay up to date on security breaches.
[+] [-] bhaavan|5 years ago|reply
[+] [-] dylan604|5 years ago|reply
[+] [-] woudsma|5 years ago|reply
I thought I had the 'right to be forgotten' because of the GDPR, as I'm a European citizen. Has there been any real enforcement of these laws aside from the relatively small fine here and there?
I've been blocking FB actively for the last few years, I can't even visit FB because of my /etc/hosts file setup. It seems quite impossible to get back some privacy online even though I try and take measures. Use Duckduckgo, Brave browser, VPN, no social media, etc. I was a happy person when GDPR first came through.
[+] [-] t0mas88|5 years ago|reply
[+] [-] varispeed|5 years ago|reply
[+] [-] aminozuur|5 years ago|reply
[+] [-] anonu|5 years ago|reply
[+] [-] hetspookjee|5 years ago|reply
[+] [-] varispeed|5 years ago|reply
[+] [-] mrweasel|5 years ago|reply
[+] [-] benja123|5 years ago|reply
[+] [-] 2pEXgD0fZ5cF|5 years ago|reply
[+] [-] erellsworth|5 years ago|reply
[+] [-] Red_Leaves_Flyy|5 years ago|reply
[+] [-] type0|5 years ago|reply
[+] [-] Muromec|5 years ago|reply
[+] [-] Strom|5 years ago|reply
[+] [-] DougN7|5 years ago|reply
[+] [-] Imnimo|5 years ago|reply
[+] [-] yepthatsreality|5 years ago|reply
Thanks Facebook admin for the encouragement to speed up my plans!
[+] [-] 1-6|5 years ago|reply
[+] [-] fshbbdssbbgdd|5 years ago|reply
[+] [-] bostonsre|5 years ago|reply
[+] [-] ipaddr|5 years ago|reply
[+] [-] benja123|5 years ago|reply
I am not a lawyer, but I find myself wondering if they are binded to GDPR in this case as judging from online articles the actual “leak” itself may have happened prior to May 2018. It also maybe that the nature of the PII itself is not such that it needs to be reported to the users (no passwords, private messages etc...)
[+] [-] cdolan|5 years ago|reply
Most of the stuff that I appear on havibeenpwned for is some strange data brokerage that probably grabbed my data from another hacked brokerage, etc