In yet another major data breach, personal details of nearly 533 million Facebook users from more than 100 countries, including India, were leaked online and uploaded on low-level hacking forums. The breach was first highlighted by Alon Gal, the co-founder and chief technical officer of cybersecurity firm Hudson Rock, who found the cache of leaked data online on Saturday (April 3).

All 533,000,000 Facebook records were just leaked for free.

This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021

Meanwhile, Facebook hasn’t yet notified the affected users. However, one of its officials, while talking to a US-headquartered media house, said that the leaked data is "old" and was breached due to a vulnerability that was fixed in August 2019.

What details were leaked?

According to Gal, the leaked details include names, gender, occupation, marital and relationship status, the date of joining and the place of work of users, bio, and in some cases even email addresses and phone numbers. The data breach has been confirmed by multiple groups and media organisations.

The exposed data includes personal information of 32 million Facebook users from the US, 11 million from the UK, 8 million from Brazil, 6 million from India, 3.8 million from Bangladesh, 1.2 million from Australia, among others.

Is this the first time?

It is not the first time that the data of Facebook users has been leaked online. In 2019, the same data (of 533 million Facebook users) was leaked and being sold on instant messaging platform Telegram for a fee of $20 per search. Similar data was again leaked in June 2020. Now, the data has re-surfaced online and this time, those who want to access the data can get it without having to pay anything at all.

How can the data be misused?

The leaked data has been put up for free on several forums. The details can be exploited by advertisers for targeted advertisements and by hackers to perform hacking attempts or social engineering attacks. Besides, anyone with rudimentary data skills can use the details to commit a cybercrime.

Earlier in 2018, it was revealed that political firm Cambridge Analytica mined data from 50 million Facebook profiles. The data gathered was used to help political candidates around the world to win elections. The revelations came in the backdrop of the US presidential elections of 2016 and the Brexit referendum.

Is there legal recourse?

While several nations in the West have Data Protection Regulation, India is yet to catch up. Although sections 43A and 72A of the Information Technology Act (2000) provides for compensation in case of improper disclosure of personal information, the Personal Data Protection Bill — which is said to contain provisions relating to a data breach — is yet to be passed in the Lok Sabha. It has been pending since 2019.