Created in 2004, Facebook easily qualifies as the quintessential social media platform. In total, there are approximately 2.8 billion active monthly Facebook users worldwide, and each account houses potentially sensitive data.
The sheer volume of users makes Facebook a prime target for attackers. Additionally, no technology is flawless. Vulnerabilities, bugs, and glitches have commonly exposed the personal information of users.
Finally, even Facebook itself has made some data-related missteps, including some issues that many considered major privacy violations. Here’s a look at Facebook’s data breach timeline, including what occurred, how many people were impacted, and more.
Facebook Data Breach Timeline
December 2005 – Personal Data Acquired from 70,000 Profiles
In a bid to showcase the risks of using social media, a research team created a script that downloaded user data from 70,000 Facebook profiles. While this breach could be considered a form of white hat hacking, as the goal was to expose a vulnerability, not exploit it, it does technically qualify as a breach.
December 2007 – Beacon Advertising Program Allows Facebook User Tracking
When it comes to Facebook’s first big brush with widescale privacy concerns, the launch of Beacon – an advertising program – is likely it. Beacon had the ability to track user purchases on other sites and post about what was bought on Facebook, often without first getting permission from the user. After an outcry, Facebook added an opt-out option for Beacon.
December 2009 – Facebook Publishes Data Users Marked Private
Another major privacy issue, Facebook made changes to the platform that made it possible for content users marked as private or only viewable to a limited audience – such as friends – to become public. Users weren’t informed that the change was occurring and didn’t have the option to approve the update or opt-out.
The issue resulted in charges from the Federal Trade Commission (FTC). Facebook ultimately settled in late-2011.
June 2013 – Bug Exposes Personal Data of 6 Million Users
In June 2013, news broke of a bug that exposed the sensitive personal data of approximately 6 million Facebook users. The glitch – which was related to the contact information archive – allowed the users’ email addresses and phone numbers to be viewable to unauthorized individuals.
The sensitive data was typically accessed by unauthorized people in error. When a user attempted to download contact information from the connections on their friends list, additional contact details that they weren’t authorized to view were added to the download.
Technically, the issue surrounding this breach is believed to have begun in 2012. However, the bug wasn’t actually spotted until 2013. As a result, it was in place for about a year before a fix was issued.
March 2018 – Cambridge Analytica Scandal Affecting 50+ Million Users
The conditions that led to the Cambridge Analytica scandal technically started back in 2010. During that year, Open Graph – a platform that allowed external apps to request and access Facebook users’ data – was launched. Then, there was the subsequent release of “Thisisyourdigitallife” – an app created by Aleksandr Kogan, an academic from Cambridge, and Global Science Research, his company to collect psychological profile data– in 2013.
While Facebook had a rule change in 2014 that was designed to limit access to user data by developers, restricting a developer’s ability to access a Facebook user’s friends’ data unless the developer had explicit permission, it was not imposed retroactively. As a result, it’s believed that Kogan kept data that was potentially acquired improperly.
During multiple elections– including Ted Cruz’s 2015 presidential candidacy and Donald Trump’s 2016 campaign – Cambridge Analytica, a company that acquired the data, reportedly used the psychological profile information and other harvested data for Facebook ad creation and targeting.
In March 2018, the exploitation of Facebook user data was exposed. In total, at least 50 million users’ data was gathered without permission. Some estimates believe the actual number of affected individuals exceeds 80 million.
May 2018 – 14 Million Users’ Private Posts Shared Publicly
Facebook gives users a significant amount of control over who can see their posts, as well as their profile. Usually, users have the ability to make certain posts relatively private, limiting who can view the post to, for example, just specific individuals or those included in their list of friends on Facebook.
In May 2018, a glitch prevented the privacy settings from working correctly. As a result, 14 million users’ private posts were shared publicly even though they were initially posted with viewing limitations. Additionally, the fact that the post reverted to a public state occurred without the poster’s knowledge or consent. As a result, many were unaware that the post was shared with a global audience.
The bug was reportedly related to a new feature Facebook was testing, which rolled out on May 18, 2018. The bug was identified fairly quickly, but a fix for the problem didn’t begin rolling out until May 22, 2018, a full five days later. It was then another five days (May 27, 2018) before the bug was entirely resolved.
September 2018 – Attackers Access Data of Up to 90 Million Facebook Users
Still reeling from the damage caused by the Cambridge Analytica scandal, Facebook was embroiled in another data breach. In September 2018, Facebook announced that attackers had accessed user data, allowing them to see the entire contents of user profiles.
The breach was able to occur due to a flaw in the platform’s “View As” feature. With that feature, users can view their profile as if they were another user, giving users insights into what other Facebook users could potentially see. An issue in the code gave attackers the ability to steal a user’s access tokens, giving them the ability to view profile information that may otherwise be private.
According to Facebook, the vulnerability went unnoticed for more than one year. Once spotted, the code issue was corrected, and impacted users’ access tokens were reset. In total, the attackers accessed profile data on anywhere from 50 to 90 million users.
March 2019 – Hundreds of Millions of User Passwords Stored in Plaintext Files
In March 2019, a report declared that millions of Facebook user passwords were stored in plaintext files, some dating back as far as 2012. While only Facebook employees had access to those files, it meant that user passwords were fully exposed to approximately 2,000 employees.
Later, it was determined that millions of Instagram user passwords were also being stored in plaintext files, leaving them exposed as well. It isn’t clear if any of the password data was ever improperly used.
While the exact number of user accounts that were impacted isn’t known, the total is likely in the hundreds of millions. Some believe the number to be half a billion or more.
April 2019 – 540 Million Facebook User Records Found on Public Server
Researchers with UpGuard – a security firm – found approximately 540 million Facebook user records captured by app developers stored in an Amazon cloud public server, making the information accessible to the public through the internet. The data included Facebook IDs, account names, comments, reactions, likes, and more.
After the discovery, UpGuard reached out to Cultura Colectiva – the server hosting company – informing them about the unsecured data. Still, it took months before the server was ultimately secured, as no action was taken until Facebook became fully aware of the situation.
Facebook was not directly responsible for this breach, as it was the app developers who improperly stored the information. However, Facebook still bears responsibility over what happens on its platform – and in any case, they have pledged repeatedly not to share users’ information with outside companies.
April 2019 – Email Contacts of 1.5 Million Facebook Users Exposed
While the issue originated in May 2016, it wasn’t identified until April 2019. The breach involved email addresses for new Facebook users. Approximately 1.5 million email contacts lists connected to people opening new accounts were uploaded without the knowledge or consent of the user.
When the new user opened their account, Facebook asked the person to enter their email password to verify the email. Once that occurred, the person’s contacts’ email addresses were imported automatically, all without Facebook requesting permission or the option for the new user to cancel the process.
Once the email address data was collected, Facebook began using the information to improve ad targeting and recommend friends.
September 2019 – Data for 419 Million Facebook Users Found on Exposed Server
An unsecured server holding personal data on 419 million Facebook users was found in September 2019. The server was publicly accessible, allowing potentially anyone to find the Facebook ID and phone number of the impacted user. In some cases, the user’s name, country location, and gender were also in the server records.
The server housing the data didn’t belong to Facebook. It’s unclear who captured the data and how it was gathered. It also isn’t clear how impacted users were ultimately affected. The server was eventually taken down.
December 2019 – Criminal Operation Captures User Data from 300+ Million Facebook Accounts
In December 2019, Facebook user data from approximately 267 million accounts was found unprotected on the dark web. The data included names, phone numbers, and Facebook IDs. Then, in March 2020, a second server was discovered that contained data on 42 million more users, bringing the total up to 309 million.
Both servers were associated with the same criminal group, a collection of hackers based in Vietnam. It’s believed that Facebook API abuse or illegal scraping were involved in the data capture.