A data leak involving the personal details of millions of Facebook users is being reviewed by Ireland’s Data Protection Commission (DPC).
The database reportedly held Facebook profile names, phone numbers, locations and other personal facts about more than 530 million users.
Facebook has said the data obtained was “old” and from a previously-reported leak in 2019, but the Irish DPC said it will continue to work with Facebook to ensure that is the case.
Ireland’s regulator is critical to these investigations, as Facebook’s European headquarters is located in Dublin, making it an important regulator for the EU.
The most recent data dump appears to contain all of the compromised data from the previous 2019 leak, which Facebook says it found and fixed over a year ago. However, the data has now been published for free on a hacking forum, making the information more widely available.
According to researchers that have reviewed the data, the leak revealed the information of 533 million people in 106 countries, including 11 million Facebook users in the UK and over 30 million Americans.
While not every piece of data is available for every user, the large scale of the leak has still been a cause of concern from cyber-security experts.
The DPC’s deputy commissioner, Graham Doyle, revealed that the recent data dump “appears to be” from a previous leak, and that the data-scraping behind it had happened before the EU’S GDPR privacy legislation was in effect.
However, despite the claims of the data being “old,” some researchers remain concerned due to the long-lasting nature of the data involved. Phone numbers, for example, are not likely to have changed since the 2019 leak. Date of birth and hometown information never change.
Alon Gal, a well-known personality in cyber-security circles, that tweets under the handle @UnderTheBreach, tweeted that the widespread leak of the data “means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked. I have yet to see Facebook acknowledging this absolute negligence of your data.”