In a news article commenting on the leak, Facebook said the data was obtained through a technique known as scraping, which sees information lifted from accounts using automated software.
“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists.
“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users,” writes Mike Clark, product management director at the company.
It isn’t the first time that Facebook has seen itself embroiled in a data scandal. In 2018, the infamous and now-defunct consultancy firm Cambridge Analytica was reported to have potentially obtained the Facebook information of up to 87 million people.
An app called ‘This Is Your Digital Life’ was used to harvest the data, which collected information from those who used the app, as well as their Facebook friends.
One month later, Facebook confirmed that the ability to search for an account using an individual’s phone number or email address had been suspended, after “malicious actors” used the feature to scrape personal information from users.
The year after that, another data breach rocked the company. This time, 419 million records were discovered on an unsecured server – 18 million from the UK, and around 133 from accounts in the US.
At the time, a Facebook spokesperson told The Independent that the data appeared to have been obtained before the ability to search for accounts using phone numbers was suspended in April 2018.
Have I Been Pwned, created by Australian security expert Troy Hunt, allows individuals to securely enter their email address to find out if their information features in any data leaks.
Following the latest Facebook data breach, Hunt has now confirmed that phone numbers are also searchable on the website when it comes to the specific leak from the social media company (it won’t work with any past breaches).
“There’s over 500M phone numbers but only a few million email addresses so >99 percent of people were getting a ‘miss’ when they should have gotten a ‘hit’.
“The phone numbers were easy to parse out from (mostly) well-formatted files. They were also all normalised into a nice consistent format with a country code. In short, this data set completely turned all my reasons for not doing this on its head,” Hunt writes in a blog post.
Individuals can check their phone numbers against the leaks by entering their number in the international format. For those in the UK, that would see the 0 at the start of your number replaced with +44.