Search Feature Turned Data Breach: Facebook Failed Its Own Security

What started as a remark from an ethical hacker grew into one of the largest data leaks in social media history.

In 2021, it came to light that the data of more than 533 million Facebook users — including 3 million Belgians — had appeared on a hacker forum. Although Facebook described the leak as “old news,” it turned out to be largely the result of its own choices and inadequate security and privacy policies.

How did this happen?

The cause of the leak lay in a seemingly harmless Facebook feature: users could search for other people based on their phone number. However, this feature was not properly secured. As a result, malicious actors were able to automatically enter millions of phone numbers and determine which profiles were linked to them, including names and other personal data.

This method of data collection is known as scraping, where software is used to “scrape” large amounts of information from a website or platform without the user’s consent.

In this case, the lack of effective security measures — such as detecting and blocking automated requests of this kind — allowed malicious actors to compile a massive database containing the personal data of millions of Facebook users. This included names, phone numbers, dates of birth, and in some cases email addresses, all linked to the identified profiles.

The issue was reported to Facebook by ethical hackers as early as 2017, but it took more than a year for the social network to take action to limit the use of this search feature. During that period, attackers were able to collect data quietly and on a large scale, ultimately leading to the massive data leak that became public in 2021.

Why “old data” is still relevant

When the data surfaced online in 2021, Facebook responded by stating that it concerned “old data” from before 2019. However, this argument is misleading. Information such as phone numbers, names, and dates of birth rarely change. Moreover, this is precisely the type of data that can be misused for phishing, fraud, or identity theft.

Inadequate communication and transparency

Facebook never proactively reported the incident to users or the public. Only after the leaked data appeared on a hacker forum did the company issue a brief response. Internal emails that were later made public show that Facebook attempted to normalize the incident and hoped it would remain under the radar.

Legal consequences

The Belgian Data Protection Authority (DPA) and its Irish counterpart (the DPC, responsible for Meta in Europe) opened investigations. Facebook ultimately received two fines totaling €265 million for violating GDPR rules. Nevertheless, the incident was not officially recognized as a data breach by the Irish regulator, which led to legal debate.

Privacy organizations, such as Digital Rights Ireland, appealed this decision. According to them, it is unacceptable that a company does not have to report failures in its own systems as a data breach, as long as no external hack has taken place.

What can we learn from this?

• A data breach does not have to involve a hack. Poor decisions and slow follow-up can be just as damaging.

• Ethical hackers are valuable allies. Their reports must be taken seriously.

• Transparency is not optional, but an obligation — especially when millions of people are affected.

• Even major technology companies must be held accountable, even if they prefer to downplay responsibility.

How NormNest can help

Would you like more information or expert advice? Schedule a no-obligation appointment with one of our team members.