The most recent Facebook data breach happened in April 2021, when personal data pertaining to 533 million Facebook users was made public on an online forum. As of May 2023, there have been no known Facebook breaches since this incident.
More recently, a $725 million settlement payout opened to the public in April 2023. Below, we’ll get into the full history of Facebook’s data breaches and privacy violations, starting with the most recent.
April 2023: $725 Million Privacy Settlement Opens to Applications
In late 2022, Facebook agreed to a $725 million settlement for privacy violations relating to the Cambridge Analytica scandal. As of April 2023, you can now apply online for your share of the settlement package at the official website created for that purpose.
Applications are open until August 25, 2023. Individual payouts are likely to be small, but if you used Facebook between May 2007 and December 2022, you may be eligible for your share.
April 2021: Personal Data on 530m+ Facebook Users Leaks in Online Forum
In April 2021, a trove of data pertaining to over 530 million Facebook users was publicly posted in an online hacking forum. The leaked data appears to have been scraped from Facebook in 2019, when a group of hackers exploited a vulnerability in Facebook’s contact importer.
Back then, users could readily find people on Facebook by entering phone numbers into a contact importer. In violation of Facebook’s terms of service, hackers scraped users’ profile data by exploiting this tool. Most of the scraped data was tied to users’ phone numbers, and only 2.5 million email addresses were obtained.
Facebook fixed the vulnerability by September 2019. But they decided against notifying the 530 million users whose personal data had been scraped.
In an internal memo, Facebook dismissed the incident as a data scraping issue, unavoidable for social media platforms: “We expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalise the fact that this activity happens regularly.”
In November 2022, Ireland’s Data Protection Commission leveled a €265 fine against Meta for violating the European Union’s General Data Protection Regulation (GDPR) as part of this incident. This followed a €405m fine for privacy violations by Instagram, issued in September 2022.
June 2020: Facebook Accidentally Shares User Data with Developers
In June 2020, Facebook engineers discovered an issue that enabled third-party developers to access personal data on users they should not have had access to. They promptly fixed the issue, and on July 1st, 2020, Facebook made the issue public via a blog post.
Following the Cambridge Analytica scandal in 2018, Facebook had implemented a new policy that would only allow developers to access customer data within 90 days of using the developer’s app. But until Facebook discovered and fixed the issue, thousands of developers could still see data on inactive users if those inactive users were Facebook friends with someone who was an active user.
December 2019: Hacker Group Captures Data from 300m+ Facebook Accounts
In December 2019, Facebook user data from approximately 267 million accounts was found unprotected on the dark web. The data included names, phone numbers, and Facebook IDs. Then, in March 2020, a second server was discovered that contained data on 42 million more users, bringing the total up to 309 million.
Both servers were associated with the same criminal group, a collection of hackers based in Vietnam. It’s believed that Facebook API abuse or illegal scraping were involved in the data capture.
This batch of stolen data came up for sale on the dark web again in April, 2020. Once data is exposed, it’s hard to put the genie back in the bottle.
September 2019: Data for 419 Million Facebook Users Found on Exposed Server
An unsecured server holding personal data on 419 million Facebook users was found in September 2019. The server was publicly accessible, allowing potentially anyone to find the Facebook ID and phone number of the impacted user. In some cases, the user’s name, country location, and gender were also in the server records.
The server housing the data didn’t belong to Facebook, and it’s unclear who scraped the data to begin with. The server was eventually taken down.
July 2019: FTC Imposes $5 Billion Penalty and New Privacy Restrictions on Facebook
In 2018, the Federal Trade Commission began a renewed investigation of privacy violations at Facebook. And on July 24, 2019, the FTC announced a $5 billion fine and mandated a new round of requirements to bring Facebook in line.
To maintain oversight, the FTC mandated a restructuring at Facebook from the board-level down, as well as the creation of an independent privacy committee, with new privacy compliance officers at the company subject to this independent board.
This $5 billion penalty is the largest the FTC has ever imposed for privacy violations. The FTC chairman, Joe Simons, described the penalty as follows:
The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.
The 2019 penalty followed a previous FTC investigation that ended in a settlement in November, 2011. But Facebook did not abide by the terms of the 2011 settlement, leading to a renewed investigation and penalty in 2019.
April 2019: Facebook Uploads 1.5 Million Users’ Email Contacts Without Permission
Between May 2016 and 2019, Facebook uploaded 1.5 million users’ email contacts without their permission. When the new user opened their account, Facebook asked the person to enter their email password to verify the email. Once that occurred, the person’s contacts’ email addresses were imported automatically, all without Facebook requesting permission or the option for the new user to cancel the process. From there, Facebook began using the information to improve ad targeting and recommend friends.
April 2019: 540 Million Facebook User Records Found on Public Server
Researchers with the security firm UpGuard found approximately 540 million Facebook user records captured by app developers stored in an Amazon cloud public server, making the information accessible to the public through the internet. The data included Facebook IDs, account names, comments, reactions, likes, and more.
After the discovery, UpGuard reached out to Cultura Colectiva – the server hosting company – informing them about the unsecured data. Still, it took months before the server was ultimately secured, as no action was taken until Facebook became fully aware of the situation.
Facebook was not directly responsible for this breach, as it was the app developers who improperly stored the information. However, Facebook still bears responsibility over what happens on its platform – and in any case, they have pledged repeatedly not to share users’ information with outside companies.
March 2019: Up to 600 Million Facebook Passwords Stored in Plaintext Files
In March 2019, a report found that as many as 600 million Facebook user passwords had been stored in plaintext files, some dating back as far as 2012. While only Facebook employees had access to those files, it meant that user passwords were fully exposed to approximately 2,000 employees.
Later, it was determined that millions of Instagram user passwords were also being stored in plaintext files, leaving them exposed as well. It isn’t clear if any of the password data was ever improperly used.
December 2018: New York Times Discovers Facebook Sharing User Data Without Permission
In December 2018, the New York Times released a report showing that Facebook had violated users’ consent on privacy. Even after Facebook promised the FTC it would not share user data without explicit permission, Facebook continued to sell users’ information to over 150 companies. Companies such as Netflix and Spotify could even read users’ so-called “private” messages.
In response, Facebook claimed that they considered the companies they shared data with to be extensions of Facebook itself, making this data sharing ‘exempt’ from the FTC’s requirements. This is a frankly ridiculous claim, unless you consider Netflix and Spotify to be part of Facebook (I do not).
Even while Facebook repeatedly promised users that they had control over their privacy, they continued to share highly private information without informing users or asking for their consent. That’s about as clear of a privacy violation as it gets.
September 2018: Attackers Access Data of Up to 90 Million Facebook Users
Still reeling from the damage caused by the Cambridge Analytica scandal, Facebook was embroiled in another data breach. In September 2018, Facebook announced that attackers had accessed user data, allowing them to see the entire contents of user profiles.
The breach was able to occur due to a flaw in the platform’s “View As” feature. With that feature, users can view their profile as if they were another user, giving users insights into what other Facebook users could potentially see. An issue in the code gave attackers the ability to steal a user’s access tokens, giving them the ability to view profile information that may otherwise be private.
According to Facebook, the vulnerability went unnoticed for more than one year. Once spotted, the code issue was corrected, and impacted users’ access tokens were reset. In total, the attackers accessed profile data on anywhere from 50 to 90 million users.
May 2018: Facebook Bug Makes 14 Million Users’ Private Posts Public
Facebook ostensibly gives users control over who can see their posts and their profile. Usually, users have the ability to make certain posts relatively private, limiting who can view the post to, for example, just specific individuals or those included in their list of friends on Facebook.
In May 2018, a glitch prevented the privacy settings from working correctly. As a result, 14 million users’ private posts were shared publicly even though they were initially posted with viewing limitations. These posts became public without users’ knowledge or consent.
The bug was reportedly related to a new feature Facebook was testing, which rolled out on May 18, 2018. The bug was identified fairly quickly, but a fix for the problem didn’t begin rolling out until May 22, and the bug wasn’t fully resolved until May 27.
March 2018: Cambridge Analytica Scandal Affects 50+ Million Users
In its biggest privacy scandal to date, Facebook exposed data on 87 million users to the political consulting firm Cambridge Analytica. This firm got its data through Aleksandr Kogan, a researcher at Cambridge who had access via a quiz app.
Between 2013 and 2015, Cambridge Analytica exploited a loophole in Facebook’s API that enabled it to compile profile data not just from users who downloaded the app, but also from their friend networks. Although Facebook told developers they couldn’t market or sell this kind of data, they did not enforce this policy, allowing Cambridge Analytica to harvest and sell it for years without repercussions.
This was a major breach of user privacy, but it can’t really be considered a hack. Facebook knew Cambridge Analytica was misusing user data as far back as 2015, but Facebook refused to acknowledge any issue and did not take action until the media raised the heat on its coverage in March 2018.
June 2013: Bug Exposes Personal Data of 6 Million Users
In June 2013, news broke of a bug that exposed the sensitive personal data of approximately 6 million Facebook users. The glitch – which was related to the contact information archive – allowed the users’ email addresses and phone numbers to be viewed by unauthorized individuals.
The sensitive data was typically accessed by unauthorized people in error. When a user attempted to download contact information from the connections on their friends list, additional contact details that they weren’t authorized to view were added to the download.
Technically, the issue surrounding this breach is believed to have begun in 2012. However, the bug wasn’t actually spotted until 2013. As a result, it was in place for about a year before a fix was issued.
January 2013: Facebook’s Graph Search Rollout Ignites Privacy Concerns
In January 2013, Facebook launched Graph Search, which enabled users to search for information on other users and groups. These searches could turn up information such as old comments, likes, and photos, which users might not want to be made publicly available.
Though this did not make any previously private information public, it made otherwise forgotten information much more discoverable, prompting many outlets to recommend users update their privacy settings.
November 2011: Facebook Settles with FTC on Privacy Charges
On November 29, 2011, the Federal Trade Commission announced that it arrived at a settlement with Facebook over Facebook’s failings to keep user data private. In a Facebook blog post, Mark Zuckerberg admitted the company had “made a bunch of mistakes”. This post appears to have been taken down, and I can no longer find it on Facebook’s corporate website as of September 2021.
The FTC finalized this settlement on August 10, 2012, following a public comment period. As part of the settlement, the FTC imposed several requirements on Facebook:
The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including by giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings, by maintaining a comprehensive privacy program to protect consumers’ information, and by obtaining biennial privacy audits from an independent third party.
As this timeline shows, the 2011 settlement did not put to rest Facebook’s issues with user privacy. When Facebook discovered the Cambridge Analytica scandal, for instance, they did not notify the FTC or the affected users. The record shows that Facebook has not adequately complied with this 2011 settlement, and they have continued to face lawsuits and penalties from the FTC as a result.
May 2010: Facebook Shares User Data with Advertisers via “Privacy Loophole”
In May 2010, the Wall Street Journal found that Facebook had been sharing user data with advertisers without the consent of those users. After this so-called ‘privacy loophole’ came to light, Facebook stated that they did not consider the information involved to be personally identifiable – even though it included details such as a person’s name, age, and hometown.
At the time, Facebook said they closed this particular loophole. But as the timeline shows, it was one of many ways they shared user data with advertisers and other business partners without the clear consent of their users.
December 2009: Facebook Makes Previously Private User Information Public
In December 2009, Facebook made their big shift to a platform where users share information publicly, rather than with their select group of friends. As part of this transition, they converted millions of user profiles from private to public and implemented privacy controls that would supposedly allow users to control who could see their posts and other information.
December 2007: Beacon Advertising Program Allows Facebook User Tracking
When it comes to Facebook’s first big brush with widescale privacy concerns, the launch of Beacon – an advertising program – is likely it. Beacon had the ability to track user purchases on other sites and post about what was bought on Facebook, often without first getting permission from the user. After an outcry, Facebook added an opt-out option for Beacon.
We did not find any earlier records of data breaches or privacy violations involving Facebook.