Skip to content

Facebook says the 533 million leaked records were scraped; not hacked

  • by
  • 4 min read

Facebook says that the data leak of 533 million users wasn’t caused due to a hacker breaching their databases but through scraping.

On April 3, reports surfaced that the data of roughly 533 million Facebook users, which included profile names, phone numbers, email addresses and FB ID, was leaked. Facebook initially said that the breach was spotted in August 2019 and the vulnerability was fixed. Neither did the social media giant disclose this information at the time nor did they acknowledge it, until Tuesday.

Facebook announced that the data was obtained by the attackers by scraping their contact importer tool prior to September 2019. The tool was aimed to help people connect with others on the platform using their contacts list.

The company says that no financial or health information and passwords had been leaked in the breach.

“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” said Mike Clark, product management director, Facebook.

In the News: Google vs Oracle: The story so far and how it affects the future of tech?

Hacked or Scraped: Does it really matter?

While Facebook’s post titled “The facts on news reports about Facebook Data” looks like the company is trying to come clean about the whole fiasco, it does little except tell us that Facebook wasn’t hacked, rather the user data was scraped.

Whether it was data scraping or hacking that led to the information of more than 500 million users to surface in online search, Facebook is liable for the breach.

Unless, of course, Facebook accepts that the data security of its billions of users and their privacy isn’t the company’s responsibility.

Since there have been numerous data breaches on Facebook between 2018 and 2019, it’s tough to pinpoint when and how exactly the attackers access this information unless you take Facebook’s word for it, who’s conveniently decided to speak up after being silent on the matter since 2019.

In September 2018, 50 million Facebook profiles were hacked, followed by another data breach in November 2018 that saw data of 120 million users leaked, including private messages. The following month, a bug resulted in photos of 6.8 million users being exposed to third-party apps. In April 2019, Upguard revealed that about 146GB of data that contained 540 million user records, were leaked through third-party app datasets. It could be any one of the aforementioned or even Cambridge Analytica’s third-party data-sharing scandal.

“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users. Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles.”

In the F8 dev conference in 2019, Zuckerberg said in his keynote “the future is private” but it’s really hard to believe his statement given the company’s current transparency policy and apathy as far as security of user data is concerned.

Anyone looking to find if their Facebook data was leaked in the breach can go to HaveIBeenPwned, a breach-tracking website developed by Troy Hunt.

Also read: What is Differential Privacy and does it keep user data anonymous?



Writes news mostly and edits almost everything at Candid.Technology. He loves taking trips on his bikes or chugging beers as Manchester United battle rivals. Contact Prayank via email: