Let's talk about Facebook's security track record. Because let's be honest, it ain't exactly stellar - and rebranding to "Meta" hasn't fooled anyone. Here's the thing: Facebook's got more money than Scrooge McDuck swimming in a vault of gold bullion, and they've hired enough employees to populate a small country. So, where's the disconnect? Why, with all those resources, does it feel like our data is about as secure as a toddler with a box of matches?
Breaches, people, breaches. Facebook's history is littered with them, each one a gut punch to our privacy.
But listen, deleting Facebook might feel like tossing your phone into the ocean because you got a single spam text (trust me, tried it, regretted it). So, what are we supposed to do? Just throw our hands up and say "Welp, guess I'm living in a digital fishbowl"? Nope. Not today. Today, we're talking about taking back control, even on a platform with the security of a wet paper bag.
Buckle up, because we're about to dive into the murky waters of Facebook's breaches and learn how to keep our data afloat.
[Table of Contents]
- 2005: MIT Proves a Point
- 2013: 6 Million Accounts Breached
- 2014: Cambridge Analytica
- March 2019: 600 Million Passwords
- April 2019: 540 Million Facebook Records Accessible on a Public Server
- September 2019: ...and Another 419 Million Facebook User Records
- December 2019: 300 Million Facebook Accounts on the Dark Web
- 2021: Half a Billion Accounts Leaked
- Limit Security Breaches with Facebook Security Settings
History of Facebook Security Breaches
Over the last decade, Facebook has been involved in numerous damaging data breaches and scandals. Below is a recap of breaches through 2024, as well as steps you can take to mitigate the impact of future data leaks.
2005: MIT Proves a Point by Gathering Data on 70,000 Users
The first known Facebook security violation took place in December 2005 when researchers at MIT developed a script that could download publicly posted information. In this case, researchers were trying to prove that social media users were vulnerable to leaks because of their over-sharing of information online. This MIT group then gained personal data on over 70,000 users without getting their permission.
Whether we like it or not, any information we post publicly will be harvested and used either maliciously - such as to hack our accounts - or for seemingly innocuous purposes like targeted ads.
2013: 6 Million Accounts Breached
In July 2013, a “bug” in the Facebook platform exposed the personal information of over six million users to unauthorized parties. The bug involved a user’s ability to download the contact information from the connections on their Friends list. When doing so, they would download additional details that they weren’t authorized to view.
Cybercriminals had exploited this vulnerability since 2012, more than a year before Facebook executives became aware of it and issued a fix. The stolen data included email addresses and phone numbers.
2014: Cambridge Analytica
Voter-profiling company Cambridge Analytica gained access to the private information of 50 million Facebook users without their knowledge or permission. While technically not a breach or unintended vulnerability, Cambridge Analytica was using the data in direct violation of Facebook’s policies, providing the Trump campaign with invaluable insights into US voter attitudes and potentially helping to sway the election.
Various news outlets discovered the breadth of this Facebook security breach in 2018. Until then, the company had kept many of the details quiet. A self-proclaimed outside researcher paid Facebook for the information, a practice that was allowed under their rules. However, this party then passed along the data to Cambridge Analytica, who used it to benefit a private client - something that Facebook definitely did not allow. Even after this scam was uncovered, Cambridge Analytica kept much of the information they had fraudulently acquired.
Foreign and domestic government officials and other parties furiously criticized Facebook for this incident, claiming that their security was woefully lacking and that they had almost casually exposed their users’ information to outside operators.
In response to this criticism, Mark Zuckerberg said that Facebook does not sell user data and pointed to the policy posted on the platform.
March 2019: 600 Million Passwords Exposed
In March 2019, cybersecurity expert Brian Krebs learned that Facebook was storing upwards of 600 million user passwords in plain text files that were available to more than 2,000 Facebook employees. The employees had been logging and storing these passwords through internally-built applications. The investigation revealed passwords in plain text dating back to 2012.
Facebook worked to resolve the issues, and released an official statement which included the following: “There is nothing more important to us than protecting people’s information, and we will continue making improvements as part of our ongoing security efforts at Facebook.”
That sounded promising, but then the rest of 2019 happened.
April 2019: 540 Million Facebook Records Accessible on a Public Server
One month later the Cyber Risk team at Upguard reported over 540 million records sitting on a publicly accessible server which contained detailed data like account names and FB IDs. Upguard had been trying to contact the Mexican company hosting the server since January, but it wasn’t until April that they managed to secure the data.
September 2019: Another 419 Million Facebook User Records on a Public Server
A public server owned by an unknown group was found to have 419 million Facebook Records containing everything from unique Facebook IDs and phone numbers to gender and location. This was a disturbing call-back to the April incident when Facebook announced that they were making changes and knew they had work to do.
To Facebook’s chagrin, their 2019 nightmare wasn’t over yet.
December 2019: 300 Million Facebook Accounts on the Dark Web
Online watchdogs detected one of the most disturbing Facebook breaches in December 2019. Over 267 million Facebook users had their personal data exposed on the dark web, possibly for up to two weeks. The dark web is the home of endless criminal activity, so this breach was egregious. By the time the media reported the breach, Facebook had already made security changes that supposedly fixed this vulnerability. In March 2020, however, another 42 million records were found different server and gathered by the same criminal organization based in Vietnam.
2021: Half a Billion Accounts Leaked
Those hoping that 2021 would be smooth sailing were disappointed by a huge Facebook hack over the weekend of April 3. This Facebook lapse exposed the personal information of approximately half a billion users, including their names, birthdays, locations, and phone numbers.
Facebook acknowledged the leak but said it stemmed from a security problem in 2019 that their team has since fixed. But many Facebook users found that statement to be of little comfort. The information is out there, and the damage could be ongoing. In the US alone, 30 million accounts were affected. Facebook has not made it easy to find out if your account was one of them. According to experts, you have around a 20% chance of being hacked if hackers stole your account information. Check haveibeenpwned.com to see if you are affected.
2023: $725 Million Settlement
The $725 million settlement in 2023 stemmed from a class-action lawsuit against Meta (formerly Facebook) regarding its handling of user data. Here's a deeper dive:
- Lawsuit Origins: The lawsuit stemmed from the Cambridge Analytica scandal, where millions of users' data were improperly accessed in 2018.
- Allegations: Users claimed that Meta failed to protect their data and allowed unauthorized sharing with third parties.
- Settlement Details:
- Meta agreed to a $725 million payout but admitted no wrongdoing.
- The deadline to file a claim for a share of the settlement was August 25, 2023.
- Due to a high number of claims (over 27 million!), the final payout amount per user is likely to be low.
- As of July 2024, the settlement is still held up in legal appeals, delaying payouts to affected users.
The settlement approval process was contentious. Some users objected to the terms, arguing the payout wasn't enough. Overall, this settlement is a significant chunk of money but doesn't erase the underlying privacy concerns surrounding Meta's data practices.
Protecting Your Personal Data on Facebook and Other Online Sites
Despite its spotty security history, Facebook is still a dominant force in social media. Users have stuck with this forum despite some massive security issues. You should not assume that Facebook will automatically keep your data safe. Be proactive and put your own safety measures in place.
Limit Security Breaches with Facebook Security Settings
Experts recommend taking the following steps to enhance your Facebook security:
Clear Off-Facebook Activity History - Facebook can track your activity online when you are not using their platform and use it to target their advertising. They moved the settings for this to Accounts Center.
- Select Settings and Privacy from the menu, then Settings
- Click Accounts Center
- Select Your information and permissions under Account settings
- Select Your activity off Meta technologies
Here, you can clear and disconnect activity
Disable Third-Party Tracking - If you have used your Facebook login information to sign in to other applications, they are tracking your activity. To disable this function:
- Select Settings & Privacy from the menu, then Settings
- Scroll down down on the left until you see Your Activity.
- Click Apps and websites. Click on Active, and then you can disable tracing from individual apps.
Use Two-Factor Authentication on Facebook (and other sites) - The extra time this step takes is worthwhile. To breach your account, hackers would need a security code that is sent only to your mobile phone.
- Select Settings and Privacy from the menu, then Settings
- Click Accounts Center
- Under Accounts settings, choose Password and security
- Choose Two-factor authentication under Login and recovery
We recommend using an authenticator app rather than SMS. SMS-2FA can be intercepted through a cyberattack called a SIM-Swap Attack.
Limit Who Can See Your Personal Posts - You should set your personal Facebook account to private. And if you want to share really personal information, you should limit who can see those posts.
- Select Settings and Privacy from the menu, then Settings
- Scroll down to Audience and visibility
- Click through Posts, Stories, Reels etc to choose who can see what types of content from you.
The Importance of Password Safety to Prevent Security Breaches
Password security is still one of the best ways to keep your personal information and account access safe. Security breaches are so damaging because hackers take your stolen password, perhaps from Facebook, and then input it into all of your other accounts, hoping that you reuse passwords.
If you are like many other online users, you do reuse passwords, sometimes simply because it’s easier than remembering a dozen or more different passwords. Cybercriminals can turn a Facebook security breach into a bonanza of criminal activity that can harm your finances and your reputation. If you have unique passwords for all of your accounts, then a breach of one will not lead to a breach of others.
How TeamPassword Can Help Prevent Security Breaches
Safely managing your work passwords can seem overwhelming, even to the most meticulous company. Fortunately, creating and storing unique passwords is simple with TeamPassword. We provide the latest password safety features, including a built-in password generator for impossible-to-guess passwords that meet the highest security standards.
You can use Teampassword to make sure that your accounts are safe even when social media giants and others leak your passwords. We offer password services that allow you to add, share and manage your internal and client passwords, including those for websites, social media, blogs, and more. You and your employees will not have to remember dozens of secure passwords - we make that part of the process simple while protecting you from security breaches.
You cannot make every account hack-proof, but you can minimize the damage when a breach occurs.
Keep your personal and business information safe with TeamPassword. Try us now and get your first 14 days for free!
