I didn’t receive that terrifying notice from Facebook explaining that an incomprehensible amount of my private information and identifying data had been stolen by unknown hackers, but people close to me did. Now, an uncertain number of people with possibly malicious intent know fairly intimate details about them. And that data can be sold to others with malicious intent. They know their most recent phone number, the last 10 real-world locations they’ve checked in to, who they’ve searched for on Facebook, their email addresses, their religious preference, where they work, and in some cases the contents of posts they’ve made and who they’ve talked to on Messenger.
That’s disturbing, infuriating and creepy. I shudder to think how my loved ones could be targeted with the stolen information, because information isn’t stolen without motivation — something Facebook is still trying to determine alongside the FBI.
As my colleague Kalev Leetaru calls out, the most sinister issue with Facebook’s latest data breach may not be the breach itself, but Facebook’s response to affected users. Specifically its refusal to give users helpful and detailed information that may aid them in preventing future identity fraud or phishing attacks that could target them as a direct result of this privacy violation.
“This raises the question of why Facebook did not offer each affected user a PDF download that contained a complete and exhaustive inventory of every single piece of information accessed from their profile by the attackers,” Leetaru says.
Adding to the unease is Facebook’s response to reporters about the scope of this attack. Their response, according to Leetaru, was the following: “[we are] still looking at other ways the people behind this attack may have used Facebook and we haven’t ruled out the possibility of smaller-scale, low-level access attempts during the time the vulnerability was exposed. Our investigation into that continues.”
Well that’s comforting. If you were one of the 30 million who had sensitive information stolen, brace yourself.
Ultimately this isn’t an article scrutinizing Facebook’s endless parade of problems with privacy and keeping their users safe. It isn’t about the technical details behind the hack. It isn’t about the financial ramifications Facebook will certainly be facing — especially from the EU. It’s about the fact that it did happen, and there’s a rational voice in your head telling you it will happen again.
Prior to this my personal motivations for deleting Facebook have centered around the platform’s toxicity, addictive nature or the bias present in the way our newsfeeds are displayed. But now Facebook feels like a genuine risk to my privacy; perhaps even my safety. The users this breach affected had their friends lists scrutinized and scraped, as well as friends of friends. Are they safe?
Then my next natural thread of thought is “Messenger for Kids” and the fact that Facebook has the audacity to sell us a device that tracks us around a room and zeroes in our voice. No thanks.
Statements like this always sound like the rantings of tinfoil hat conspiracy theory nuts. Until they happen. Hey, Google isn’t evil so surely it wouldn’t keep a data breach secret for three years just to protect its reputation? But it did. Over the course of four years, Yahoo’s infamous data breach ballooned from 500 million affected accounts to a staggering 3 billion, including accounts from Yahoo-owned Tumblr and Flickr.
Should we just stick our heads in the sand and stop using the internet entirely? That seems impossible. But we can pick our battles, right? Especially when privacy and safety are involved. A minor example is using an alternate search engine like DuckDuckGo that doesn’t track us around the web to sell targeted ads. An extreme example, of course, is deleting Facebook, an action that feels impossible due to how ingrained the platform has become in our daily lives.
Bear in mind, though, we can still talk to our loved ones without it. We can still get our breaking news without it. We can still post memes and update our friends without it. We can download every scrap of data we’ve uploaded to it.
At this point, Facebook has proven it can’t safeguard the sensitive information of its users, even with a safety and security staff that exceeds 10,000 people. And it has demonstrated that it has no genuine interest in aiding affected users beyond notifying them of the breach and reassuring them that hey, at least your credit cards and passwords weren’t stolen too.
We can keep existing on Facebook, but the only truly secure Facebook account is one that doesn’t exist. Even then, you’ll need to wait a full 90 days before all of your information is deleted from Facebook’s servers. According to Facebook anyway. . .
You can read more about this incident and see if your account was affected by visiting this Facebook Help Center page.