10 times Facebook violated your privacy

Privacy news
5 mins
10 times Facebook violated your privacy.

Another day, another Facebook leak. What are the odds? This time, it seems that personal information for just over half a billion users has leaked online. That’s more than the combined populations of the U.S., Australia, the UK, and Canada.

Facebook harvests a lot of your data for internal use, but it’s also no stranger to data breaches that expose your information to the public. Many of us know it doesn’t have a stellar privacy record, but the actual scale of all its leaks is astonishing.

Let’s take a look at ten times Facebook has exposed user data.

[Know your privacy risks. Sign up for the ExpressVPN Blog Newsletter.]

533 million user profiles in 2021

In Facebook’s latest fiasco, revealed in April 2021, personal details were leaked to a publicly accessible hacking forum. Compromised data includes emails, Facebook IDs, phone numbers, birth dates, and location information. 

It gets worse.

Facebook then announced that it wouldn’t disclose which users had been affected by the leak.

It gets worse.

They wouldn’t disclose which users were affected because they have no idea who they are.


To be fair, the information wasn’t obtained by hacking into Facebook servers, but rather through a process called scraping, which uses bots to extract data from websites. All data available in this leak was scraped from Facebook before September 2019. While affected profiles could currently be using updated personal data, cybercriminals could still use this information to impersonate other people.  

419 million user phone numbers in 2019

Last year was not a good year for Facebook as hundreds of millions of user phone numbers were left exposed on a public server. The records included 133 million numbers on file of U.S.-based Facebook users, 18 million of those in the UK, and 50 million Vietnamese users.

Both the users’ unique Facebook ID and the phone number associated with the account were left on the server. Some also included the name, gender, and country. No one knows who owned the offending server or how the data had been scraped off of Facebook’s own records.

267 million records left exposed on the dark web in 2019

Facebook IDs, phone numbers, and names of over 267 million users, most of them in the U.S., were found on an unsecured database on the dark web. Security researcher Bob Diachenko, who discovered the breach, traced the database back to Vietnam and said that it could have been the work of automated bots programmed to scrape publicly available information from Facebook profiles.

It’s also possible that the data could have been stolen directly from Facebook’s developer API.

The offending records were available to anyone for up to two weeks before discovery. A hacker forum also posted a downloadable link to the data set.

6 million phone numbers and email addresses in 2013

In June 2013, Facebook disclosed that a technical glitch in its database had exposed the contact details of 6 million users, a problem that began in 2012. Facebook users who downloaded contact data of their friends were given additional information that shouldn’t have been made available.

Facebook said it fixed the bug within 24 hours of its discovery and only announced it to the public after confirming that the bug was no longer operational.

14 million user profiles in 2018

A Facebook glitch caused 14 million users to have their new posts set to “public” rather than their preferred privacy setting.

This happened during the rollout of a new feature and was not addressed for four days. At the time, Facebook sent a notification to its users reminding them to check on the status of their privacy settings and revert back to their preferences.

If you would like to check who can see your Facebook posts, go to Settings > Privacy > Your Activity. There you can check who has access to future posts.

Up to 90 million user passwords in 2018

In one of its largest data breaches yet, Facebook confirmed that up to 90 million users could have had their accounts breached due to a bug in its “View As” feature.

The attackers exploited a vulnerability that allowed them to steal Facebook access tokens. Such tokens are digital keys, which store user login information and prevent them from having to re-enter their password everytime they use the Facebook app. As a result, the hackers could have taken over anyone’s account.

Facebook reset those access tokens, which required everyone affected to enter their login details again.

87 million records leaked to Cambridge Analytica in 2018

Personal data of over 87 million people was leaked to political research firm Cambridge Analytica after it exploited a vulnerability in its API. The leaks were linked to an online personality quiz titled “thisisyourdigitallife,” which more than 270,000 Facebook users were paid to fill out. Cambridge Analytica pulled information related to friends lists from users who took the quiz and used it to build psychological profiles and analyze personality traits.

600 million passwords accessible in 2019

Security researcher Brian Krebs revealed in March 2019 that Facebook had stored the passwords of hundreds of millions of users in plaintext, making them accessible to employees. In some cases, the passwords dated back to 2012.

Krebs, quoting an unnamed source, said 2,000 engineers inside Facebook had potentially accessed the passwords. In total, there were 9 million internal queries to look up data elements that also contained plaintext user passwords.

In a statement, however, Facebook said these passwords were never visible to anyone outside the company and that they “found no evidence to date that anyone internally abused or improperly accessed them.”

540 million user records visible in 2019

Another damning leak followed shortly after the Krebs revelations. In this case, Facebook third-party app developers left hundreds of millions of records on publicly visible cloud servers.

Security researchers found a 146 GB data set uploaded by Mexican company Cultura Colectiva. The set included information pertaining to Facebook user activity, account names, and IDs, with over 540 million records. There was no way of knowing if anyone had accessed the database or misappropriated the information. The data set was removed shortly after Facebook became aware of the issue.

1.5 million user email contact lists in 2019

In April 2019, Facebook admitted that it had “unintentionally” siphoned the email address books of over 1.5 million users without asking for permission explicitly. The breach took place after Facebook asked new users to enter the password for their email account. It proceeded to upload all the email contacts onto its own servers.

The breach dated back to 2016, which meant it went on for almost three years before Facebook put a stop to it. It added that it had bolstered internal processes to prevent this from happening again.

Also read: Tired of Facebook’s privacy scandals? Here’s how to delete Facebook permanently.

Phone protected by ExpressVPN.
Take the first step to protect yourself online

30-day money-back guarantee

A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
I like to think about the impact that the internet has on humanity. In my free time, I'm wolfing down pasta.