Facebook Says Leak of 533 Million Users’ Data Wasn’t a Hack. Does it Matter?

The nuance may be key to avoid triggering a web of state-level laws requiring companies to report data breaches to regulators and the public, privacy and legal experts say. But some also argue the distinction makes little difference to users, as hackers can mine such datasets to connect previously disparate pieces of information for targeting future attacks.

“Facebook is revealing what would otherwise be nonpublic information, which is the link between the user and their phone number,” said Ashkan Soltani, former chief technologist for the Federal Trade Commission.

Speaking Wednesday at a virtual gathering on Twitter Spaces, Mr. Soltani warned that such information could help attackers launch phishing campaigns or hijack victims’ accounts on other apps where phone numbers are used for verification.

Facebook didn’t alert users to the incident—and has no plans to—in part because it can’t determine with certainty which users would need to be notified, a spokesman said. He added that the company takes the information’s sensitivity into account when making such decisions, pointing to how users themselves included the affected data in their public profiles.

Privacy and cyber experts say hackers can cross-reference such datasets, which don’t necessarily need to include sensitive information, to sharpen attacks. Investigators probing the hack of Microsoft Corp.’s Exchange email software, for example, are exploring whether attackers targeted email addresses gleaned from previous data thefts or mass scraping of information from social-media accounts.

Such automated collection of public-facing information violates many companies’ terms of service, said Dominique Shelton Leipzig, co-chair of the ad tech privacy and data-management practice at law firm Perkins Coie LLP.

The U.S. has no federal standard for when companies must disclose data breaches. Various state-level breach notification laws tend to cover incidents defined by the unauthorized access or theft of personal information, she said.

“A phone number alone, under any state breach notification law that I’m aware of, is not personal information,” said Ms. Shelton Leipzig, whose firm represents Facebook but who is not working on this incident.

Facebook, which in the past has criticized researchers and app developers for scraping information from its platform, said the recently reported leak stems from a malicious actor reverse-engineering a tool used to connect users with their mobile contacts rather than from hacking its platform.

Mike Clark, Facebook’s product-management director, wrote in a blog post Tuesday that the actor used software to upload a “large set of phone numbers” to the tool to find matching profiles. Mr. Clark said the actor then crawled accounts and hoovered up available information.

“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” Mr. Clark said, adding that the affected data didn’t include financial information, health data or passwords.

The free circulation of the resulting dataset on a hacker forum, which the news site Insider reported Saturday, is the latest in a string of data privacy incidents for the tech company.

The FTC in 2019 voted to impose a landmark $5 billion fine on Facebook for alleged privacy lapses. In early public statements about one key episode, the mishandling of user data by Donald Trump-affiliated data firm Cambridge Analytica, Facebook similarly highlighted that the incident didn’t constitute a breach of its systems.

Regardless of labels, said Justin Brookman, director of consumer privacy and tech policy at advocacy group Consumer Reports, Facebook should have notified users of the 2019 incident so they could have taken precautions.

“Given their history and their management,” he said, “it’s not at all surprising that this is the choice they made: not to tell users.”

Write to David Uberti at [email protected]