Facebook data breach: What can you do to protect your social media information

Just three years after the massive Cambridge Analytica and Facebook data scandal, the company is back in the news for another significant data breach affecting over half a billion of its users. Read on to find out more about this leak, if you might be impacted and what you can do to protect yourself.


What data was compromised?

The exposed data includes the personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, and 11 million on users in the UK. In Europe, Italy is the most heavily affected EU country, with more than 35 million users from that country caught up in the leak and almost 20 million French users have also been impacted. The information available includes phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses. It did not include users’ passwords.

You can check whether your phone number or email address were exposed in the leak by checking the breach tracking site HaveIBeenPwned.


How has Facebook responded?

Facebook has responded to the breach claiming that the data leak only compromises old data from a vulnerability already uncovered and patched by the company in August 2019. In a statement the company said, “It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.”

Yet, while this breach concerns data that is a couple of years old, the leaked data could still prove valuable to cybercriminals who use people’s personal information to impersonate them or scam them into handing over login credentials. In addition, many people affected will not have changed their phone number or email address during these two years and so are still at risk of becoming victims of fraud due to this breach. As of April 2021, Facebook has not notified the users who have been affected by the breach and so every user of the platform should remain vigilant about phishing and smishing schemes attempting to use their data.


Has the company broken data protection laws?

Under some privacy regulations, including Europe’s GDPR, once a leak like this has been identified, the company involved needs to alert users who could have been affected. However, European regulators may be unable to do much about this leaked data, as it seems to have been stolen before GDPR came into force. Facebook was therefore not obligated at the time to notify users.

What’s more, now under GDPR any major data leaks or breaches must be notified to the relevant regulator within 72 hours. The fact that this leak has only started to be investigated now shows Facebook also chose not to follow this protocol. Had a breach of this size occurred in 2021, the company would be facing a huge fine for breaking these two key aspects of GDPR.

In the US, Facebook signed a deal two years ago that gave it immunity from Federal Trade Commission fines for breaches before June 2019, so if the data was stolen after that, it could face action there too.


What to do if your account was compromised

If you’re worried about your data, there are a variety of tools you can implement to increase the security of your account.

  • The best way to keep yourself protected online is to use strong, unique passwords for every account. That way, even if your data for one site is compromised, the others stay secure.
  • If you don’t think you can remember lots of varieties of passwords, use a password manager to store them for you.
  • Enable two-factor authentication where possible. With this in place you will be notified each time someone tries to login to your account and will need to confirm your identity with either your biometric data, or with a code sent to your mobile. We have also written a post on how to add two-factor authentication to your social media accounts if you need guidance, here.

Data breaches can feel overwhelming for users but with increased regulation like GDPR, LGPD, and California Consumer Privacy Act, in most cases you will now be informed if your data was involved so you can take the necessary steps to protect yourself immediately.

If you have any other queries or concerns on data breaches, please leave a comment below and we will get back to you.