The social media firm chose not to notify affected users because it doubted it could identify which users needed to be notified, the spokesman said. The tech company also took into account the fact that users could not fix the issue and that their data was already exposed.
Business Insider reported last week that the phone numbers and other personal information of more than 533 million Facebook users were posted on a public database. The users came from 106 countries, including the U.S., the U.K. and India.
In a blog post on Tuesday, April 6, Facebook said that malicious actors had "scraped" the data in 2019 using a vulnerability in the platform's tool for syncing contacts. The California-based firm added it had removed the weakness in the same year after identifying the problem. (Related: More than 500 million users' personal data compromised in Facebook privacy breach.)
Besides refusing to notify affected users, Facebook also downplayed the data breach by saying that it happened years ago and had since been secured. But the fact that the breach dated back to 2019 should alert regulators: Under some privacy regulations, including the European Union's General Data Protection Regulation, the tech firm should have informed victims of the data scraping.
Facebook's 2019 settlement with the Federal Trade Commission, which was reached after the tech giant was accused of misusing user data, also required the company to report details of a breach involving at least 500 users within 30 days of confirming the incident.
Ireland's Data Protection Commission, the EU's lead regulator for Facebook, announced on Tuesday, April 6 that it was investigating the data leak to see if the social media giant violated any rules. The commission initially received "no proactive communication" from the firm but is now in contact with them, Reuters reported.
Experts have also said that the issue is still grave regardless of when it happened, largely due to the nature of the stolen information. The leaked data included phone numbers, Facebook ID's, full names, locations, birthdates, bios and, in some cases, email addresses. It did not include passwords, financial records and health information.
Rob Shavell, CEO of DeleteMe, a personal data protection tool, told the Guardian that even if passwords and other sensitive information were not exposed, the scraped data is still significant because it included signifiers, such as phone numbers and birthdates, that are seldom changed.
"Even if the data is old, it's never really old because it will always be useful for data brokers," Shavell explained. "It helps them correlate related information that is new and dump them into these profiles, which they sell online for as little as 99 cents."
The exposed information can also be used in combination with existing user data online to hack accounts, most notably bank and other accounts that require two-factor authentication. Two-factor authentication involves texting a confirmation code to a phone number to verify a person's identity.
The leaking of phone numbers can also be problematic amid the recent rise of robocalls – an automated telephone call that delivers a recorded message, typically for the purpose of telemarketing and scams.
"Forget about being hacked, it's just annoying to be constantly getting spam calls," Shavell said. "The data breach, whether they say it's old or not, is another way spammers get this information."
Users can check if their personal data is included in the leak using legitimate websites such as Have I Been Pwned?.
Learn more about the issues surrounding the way Facebook handles users' private information at FacebookCollapse.com.