[bassdropvroom]

So after longing it out, today I had a look on haveibeenpwned, and it seems I am one of those whose data has leaked.

After re-reading all of the events of this breach, it seems that the exploit was fixed in Aug 2019 (as claimed by Facebook). I had deleted my account some 2 years prior to that.

Either these attackers have had access for over 2 years, or Facebook has not deleted my data, and likely everyone else's data either.

What can an individual, or perhaps everyone affected, do in this scenario?

[nuclear_eclipse]

Assuming that the data is just your phone number and name/email, is it not possible that this is just from friends who have allowed Facebook and/or Messenger to share contact info? Your original account data almost certainly would have been deleted/purged due to various regulatory requirements, but that doesn't necessarily stop your contact info from being shared again and making its way back into the system.

[sorokod]

But then again, Occam's razor would suggest that FB never deleted the data in the first place.

By the way, data is not "making its way back" like some sort of salmon trying to get back to the source, it is forcefully harvested by FB.

[nuclear_eclipse]

Presenting a screen/dialog to the user at first login asking for permission to access contact data does not sound like "forcefully harvested". Users rarely understand the consequences of their decision, which is why I would love to see iOS and Android eliminate the option of wholesale contact access, but use of Facebook apps is not predicated upon receiving your contact data.

[atat7024]

It does if your average user is so uneducated they freeze up and whack the next button until the screen with all those words on it goes away.

[nuclear_eclipse]

If someone signs a bad contract because they refuse to read and understand it, and just signs it anyways, they're still generally bound by the terms of the contract. iOS and Android both have pretty clear descriptions in their permissions dialog of what the app is asking for.

[sir_brickalot]

It's not a bad contract for that someone though. It's a bad contract for that someones friends.

[sorokod]

Maybe that adjective is not quite right, "rapaciously" perhaps?

[pieter_mj]

Check out the following twitter thread : https://twitter.com/carolecadwalla/status/137983433288654029...

Renowned hacker Inti De Ceukelaire informed facebook of this breach in 2017, but FB just sat on it for a year and did nothing, ultimately claiming it was scraped from publicly available data at the time.

So while we do not know and can only assume deleted data is merely indicated by a flag and not really deleted, this exploit does not include data from closed/deleted accounts.

FB doesn't allow user access to/control of/deletion of shadow account data, which is in violation of the GDPR.

[eloff]

My phone number is in haveibeenpowned. Maybe it's from another leak? I deleted my Facebook account years ago and it doesn't have my new number. WhatsApp does.

[bassdropvroom]

I only recently deleted my WhatsApp, so could very well be. Though, according to HIBP it's from the same leak that has recently become known, but who knows.

[eloff]

Yeah, same here, it's the Facebook leak. So why does it have my number? Maybe I activated it for something, changed the number, and forgot. Its not impossible with me.

[HNfriend234]

haveibeenpwned pulls from multiple data leaks. So it is likely your data was leaked somewhere else and the company that got hacked simply never reported it. Happens all the time. Once your data has been leaked. There is nothing you can do about it. Your information will simply just float out there in the internet ether forever.

This is why it is so important for everyone to go pseudonymous online especially if you are doing ANYTHING that can be remotely viewed as controversial, like political speech. The reality is whether you like it or not, your personal information will be leaked.

I know these days everyone wants to be a social activist on social media today but just don't do it. It is not worth it if some nut job decides to go after you for whatever reason. It is very easy these days to find where people live, work, phone numbers etc by simply knowing their first name, last name and general location of where they live. Most people openly disclose this information.

[marshmallow_12]

i will automatically give less credence to an anonymous person. They are giving me nothing of themselves, so they expect nothing, and feel no obligation to present the truth. On the flipside, being anonymous, i don't take myself seriously enough. Yes, this has regrettably made me come close to trolling, i've worked on it, but i'm still not close to being fully genuine and i know that.