Facebook has a sitemap

Data leakatFacebook

April 14, 2021 • Facebook

What happened and who is affected?

On April 3rd, 2021 it became known that strangers had published a large amount of Facebook user data in a hacker forum. For the first time, the IT security company Hudson Rock drew attention to this latest data breach on Facebook. This affects a total of 533 million Facebook users worldwide, including over six million from Germany. The stolen data records consist of the Facebook user name, the Facebook ID, full name, telephone numbers, dates of birth, location information, biographical information such as relationship status and e-mail addresses. The exact scope of the individual data records is different.

Am I affected myself?

You can check whether your own data is affected using the email address or telephone number on the Haveibeenpwned and Freddygreve online offers. It is only communicated whether the corresponding information is part of the publicly known data volume. The details of the records are not disclosed. (Note: The linked pages have not been checked by us in terms of data protection law. Please note the corresponding data protection information on the pages.)

In the meantime, Facebook has also provided a contact form in its help area, which users can use to submit inquiries about this incident. Among other things, the following questions can be asked there to Facebook:
• Has my information been affected by scraping?
• How do I delete my phone number from my Facebook account?
• I have a question about media coverage that is not listed here. How can I send a request to Facebook?

What should those affected do?

If your own Facebook account is affected, the password should be changed as a precaution. It is also advisable to change the e-mail address and telephone number assigned to the Facebook account. Particular caution is recommended for messages that are now received via the addresses or numbers that have become publicly known.

In this context, the HmbBfDI warns of so-called "smishing", i.e. phishing via SMS. There is apparently a direct connection to the data leak on Facebook. Criminals send short messages that supposedly come from parcel services. In this SMS there is also a link that leads directly to malware on phishing pages on which sensitive information is to be disclosed. Anyone who receives such a text message should not click on the link and delete the message immediately upon receipt. It should also be checked whether the smartphone already has the latest security update.

Further current information and notes on this, especially if you have already clicked on a corresponding link, can be found on the website of the Federal Office for Information Security or on the website of the State Criminal Police Office of Lower Saxony.

What are the data protection supervisory authorities doing?

The Irish supervisory authority responsible for Facebook in Europe (IDPC) has started an initial investigation and asked Facebook to comment. Many details are still unclear, but when the other European supervisory authorities were informed, the following circumstances based on information from Facebook have become known:
• The data was stolen in the context of so-called scraping, presumably using the Messenger Contact Importer function
• Apparently only data that had the access status “public” on Facebook are affected
• Corresponding gaps were probably closed by the end of 2019 at the latest.

With regard to the current status of this investigation, we refer to the IPDC press release of April 6, 2021. This is available here. The IDPC has not yet completed the legal assessment of the process, in particular the question of whether it is a reportable incident in accordance with Art. 33 GDPR and, if necessary, a notification of those affected must also be made in accordance with Art. 34 GDPR.

The HmbBfDI cannot carry out its own investigation directly on Facebook on the basis of the GDPR.