Social media titan Facebook entered our lives in the year 2004 and has become a part of our daily lives ever since. Launched by Mark Zuckerberg, Facebook was initially made available to just Harvard and later expanded to include students of other US universities. In 2006, the social media platform decided to open itself to the public, and the rest is history. However, this blog is not about celebrating Facebook’s success as a platform but to give you a timeline of Facebook data breaches that have made data of millions of its users vulnerable to hackers.
Not many people know that Facebook faced its first vulnerability in 2005 when MIT researchers developed a script that could download publicly posted information of over 70,000 users. Since then, it has frequently found itself became a victim of such data breaches. Despite what they say in response to the data breaches they face, it has failed to provide privacy assurance to its users, time and again. If you want to know how many data breaches Facebook had or want a Facebook privacy leak and fail history, you’ve come to the right place.
Here’s a Facebook data breach timeline and privacy fails
December Facebook privacy leak
In December 2005, a team of researchers at MIT university created a script capable of downloading publicly posted information. This was done in order to demonstrate a privacy threat that can be caused by oversharing on social networking websites. The team was able to acquire personal information of over 70,000 users saying that businesses are performing similar activities, taking control of user’s data without permission.
December 2007 Facebook data breach
In December 2007, Facebook released its new product called ‘Beacon’ which was designed to help advertisers understand their audiences. This was one of Facebook’s first attempts to monetize users on its platforms. Through Beacon, user activity on other websites was added automatically to Facebook user profiles. To demonstrate what it’s trying to do, Beacon showed the titles of videos users rented from Blockbuster Video on the Facebook News Feed. This was in violation of the Video Privacy Protection Act and led to a class action lawsuit. As part of the settlement, the social media giant had to pay $9.5 million to a fund for privacy and security.
December 2009 Facebook privacy fail
Another Facebook privacy fail incident occurred in 2009 when the social media platform publicly published information which was marked private on users’ profiles. An investigation was issued by the Federal Trade Commission which forced Facebook to apologize to its users. It was also asked to promise better personal data management and protection.
July 2013 Facebook Data Breach
This Facebook data breach affected over 6 million users. In June of 2013, social media giant Facebook found a bug that had been exposing personal information of over 6 million users to unauthorized parties and viewers for about a year. Exposed personal data included email addresses and phone numbers of Facebook users. Anyone who knew even one piece of information could access the data. This technical glitch began in the year 2012. However, it didn’t come into notice until 2013. Before publicly announcing that Facebook’s data leaked, apparently it fixed the bug and reported the breach to those affected and regulators.
This marked the beginning of Facebook data breaches and the problems it faces with handling personal data.
The Cambridge Analytica scandal of 2014
This is one of the most talked about Facebook data breaches. The scandal began in 2014 when Cambridge Analytica, a data-driven startup asked users to fill in reviews on the Turkopticon website (a third party site for reviews for Amazon’s Mechanical Turk). It was followed by a task by Aleksandr Kogan that asked users to fill a survey in exchange for money. To fill in the survey, users were asked to download an application – thisisyourdigitallife – to their Facebook accounts.
The app then downloaded a huge amount of personal information, such as the user’s demographic data, likes, friend list and some private messages. The app broke terms of service of Facebook’s but remained in place till December 2015 by which more than information of over 85 million had been harvested by Cambridge Analytica. The data was later used for marketing-related activities and fake news stories.
July 2018 Facebook data breach
This Facebook data breach uncovered a new bug in the social media platform that overrides the blocklist of users. In yet another privacy failure, the social media giant admitted that more than 800,000 users were affected by this bug on Facebook and Facebook Messenger. The bug reportedly unblocked some of the people users had blocked. Facebook said that the bug was active for 8 days between May 29th 2018 to June 5th 2018 and while blocked users couldn’t see content shared with friends, they were able to see things posted to wider audiences.
When someone is blocked on Facebook, they can’t see things posted by you on your profile or start a conversation with you on Messenger. Moreover, blocking users also automatically unfriends them from your profile, if you were previously friends. They can’t even add you as a friend again.
In a blog post addressing the privacy breach, Erin Egan (Facebook’s Chief Privacy Officer) said in the case of this bug, it didn’t reinstate any friend connections that had been severed. About 83% of users affected by the bug had just one person they had blocked temporarily unblocked.
A developer by the name ‘Six4Three’, a bikini photo scraping startup, filed a lawsuit against the social media firm for taking down an API that eventually resulted in its closure. The lawsuit by Six4Three demanded compensation for misleading developers into using Facebook’s platform using the API which was later pulled down. The application in question here is Pikinis, which was supposed to gather photos of women in bathing suits and show them in a ‘consolidated’ way. On 5th December 2018, the US Parliament released documents which were obtained in the probe of Six4Three. The document highlighted 5 main points:
- A whitelisting agreement was signed between Facebook and Netflix, Lyft, Bumble and Airbnb (amongst others) that allowed full access to friends data to these companies after Graph API v1 was discontinued. Damian Collins (the Member of Parliament who issued the order compelling the document handover) said that it was unclear if there was any user consent taken for this or how the social media company decided which companies should be whitelisted or not
- One of the main drivers behind the Platform 3.0 changes at Facebook, according to Collins, was increasing revenues from the big app developers. The linking of friends data to the financial value of the relationship of developers with the platform was found to be a recurring feature of the documents
- Data and information reciprocity between app developers and Facebook was a key focus for Platform v3’s release. Zuckerberg kept discussing charging developers in exchange for access of API access for friend lists
- The documents also constituted certain things discussed like how changes to the Android app of Facebook requesting permissions to collect texts and calls sent by users might be controversial. Moreover, ne project manager also stated that ‘from a PR perspective, this is a pretty high-risk thing to do’
- Onavo, a famous data-saving and VPN service app which was acquired by Facebook in 2013 was used by the tech giant to collect data. It was used by Facebook to survey the use of mobile applications on smartphones. Collins says that this ‘apparently’ occurred without knowledge and was used by Facebook to analyze which companies to treat as a threat and which ones to acquire. This was also found to be violating the privacy rules of Apple
Facebook’s data breach of March 2019
In March 2019, Brian Krebs, a cybersecurity expert reported that the social media company has been storing passwords of millions of users in plaintext files. These files were accessible to over 2,000 employees of Facebook. The social media company didn’t say why or how it had been saving user passwords in such a manner. Later, it was discovered that passwords of millions of Instagram users were also saved in the same manner. The total number of affected Instagram and Facebook users is estimated to be at least 600 million. The actual number might be much higher.
This Facebook data breach was discovered by Bob Diachenko, a cybersecurity expert. Diachenko reported that the breach was an outcome of Facebook API abuse or an illegal scraping operation by Vietnamese hackers. Originally, the estimated number of affected users was 267 million. In March 2020, it was found that a 2nd server containing additional 42 million records was scraped by the same group of criminals. So, in total, the breach exposed names, phone numbers and user IDs of more than 300 million Facebook users.
Facebook privacy leak of July 2020
In July 2020, Zuckerberg-led company admitted to sharing user data with about 5000 third-party app developers, even after the expiry date of data access authorization. Facebook said that it had fixed the issue, however, a mistake allowed 5,000 developers access to receiving user data for longer than the expiry date. The social media company, which has over 2.6 billion monthly active users, didn’t comment on how many users were impacted by this or if they’ll be notified individually.
Facebook data leak 2021
The most recent data leak Facebook came in light for happened in April 2021. In this data breach, personal data of more than 533 million users of Facebook had been posted on a website to be misused by hackers. This Facebook data breach was reported by Alon Gal – Chief Technology Officer of Hudson Rock. The data breach had a lot of personal information of users exposed, including their full name, date of birth, gender, email address, phone number, Facebook IDs, Facebook bios, location and job status. The Facebook data leak 2021 included records of 6 million users from India, 11 Facebook users from the U.K. and 32 million users from the U.S.
Conclusion – Facebook and data breaches
The only thing clear from this list of Facebook data breaches is that your data is not entirely safe. So what can you do in order to keep your data protected? Well, the easiest (and at the same time, toughest) way would be to delete your Facebook account. Another way could be by deciding to not share any information that could harm you in the future. Don’t share anything on the platform that you do not want to end up being available publicly. Moreover, enable two-factor authentication for an added layer of security.
For more latest IT news and updates, keep reading iTMunch
Featured Image: Background photo created by jannoon028 – www.freepik.com