Facebook says data from 530M users was obtained by scraping, not hack

The social network says it closed a security hole that allowed "malicious actors" to scrape data prior to September 2019.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
2 min read
Graphic by Pixabay/Illustration by CNET

Facebook is attributing a reported data leak with information on more than 530 million users to a vulnerability that it previously identified in 2019. Malicious actors exploited a Facebook feature by using a method of scraping, an often automated process of netting unsecured public data, the company said in a blog post. Facebook said it has since taken action to prevent further exploitation of this feature. 

"As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists," Mike Clark, product management director for Facebook, said in Tuesday's blog post.

Personal information on hundreds of millions of Facebook users, including names, birth dates and phone numbers, was reportedly posted to a website for hackers. The data set contains information on 533 million users from 106 countries, according to Business Insider, which first reported on its availability. The data appears to be years old but could still provide valuable information to identity thieves and scammers.

Facebook said the technical flaw that created the vulnerability was found in the app's ability to import contacts from a user's phone. The captured data was previously reported on in January, after appearing for sale on Telegram. The dataset is now apparently available for free. 

Facebook has not yet notified any affected users and has no plans to do so, according to a Reuters report Wednesday citing a spokesperson. Facebook didn't immediately respond to a request for comment.

To check whether a particular Facebook account was affected, users can search the breach-tracking website Have I Been Pwned?