Facebook suffers a data breach about how it’s hoping to stop the media talking about its last data breach

Facebook suffers a data breach about how it's hoping to stop the media talking about its last data breach

Oh dear. Facebook has suffered another data breach.

Hot on the heels of the revelation that the phone numbers and personal data of half a billion Facebook users had been leaked online, the social network has goofed again.

But this time it’s Facebook’s PR team rather than its users who have been left exposed.

Sign up to our free newsletter.
Security news, advice, and tips.

Someone in Facebook’s EMEA Communications team seems to have accidentally forwarded an internal email to… a journalist covering the story of the Facebook data breach.

Part of the redacted email sent by Facebook to a journalist
Part of the redacted email sent by Facebook to a journalist. Source: Data News.

My guess is that a Facebook employee attempted to forward the internal communication to a colleague, and their email client accidentally auto-completed the recipient’s name to be that of an external journalist. Oops!

What makes matters worse for Facebook, is that the email reveals the company’s strategy for handling questions about the exposure of 533 million users’ data, painting the problem as an issue for the whole technology industry.

Belgian journalist Pieterjan Van Leemputten was the recipient of the accidental email from Facebook on 8 April, as he describes in an article on Data News.

Part of the accidentally-sent email reviews the media coverage that Facebook has already received from the breach:

OVERALL COVERAGE: Publications have offered more critical takes of Facebook’s response framing it as evasive, a deflection of blame and absent of an apology for the users impacted. These pieces are often driven by quotes from data experts or regulators, keen on criticizing the company’s response as insufficient or framing the company’s assertion that the information was already public as misleading. With regulators fully zeroed in on the issue, expect the steady drumbeat of criticism to continue in the press. However, it is important to note that both media coverage and social conversation continues to gradually decline from its peak over the weekend on Monday.

In other words – hunker down, the media will stop writing about it, and the storm will pass.

Facebook’s communications team says it’s not planning to comment further on the breach as long as the media coverage continues to decline.

However, the social network says it is going to be revealing more data-scraping incidents in an attempt to normalise the issue as one that plagues the entire industry.

LONG TERM STRATEGY: Assuming press volume continues to decline, we’re not planning additional statements on this issue. Longer term, though, we expect more scraping incidents, and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly. To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we’re doing in this area. While this may reflect a significant volume of scraping activity, we hope this will help to normalize the fact that this activity is ongoing and avoid criticism that we aren’t being transparent about particular incidents.

To be clear, Facebook said that the problem was initially discovered and resolved in August 2019. But at least one researcher says that he first warned Facebook that the potential problem back in 2017.

Facebook has tried to downplay the incident, and pitched it as an industry-wide issue. But their arguments are unconvincing, and their failure to acknowledge that they failed to properly fix the problem in the past is telling us loud and clear about their transparency and openness.

Facebook knew there was a problem, and failed to do anything until half a billion users’ details were released. And even now it still hasn’t contacted affected users.

There’s only one way we’re likely to get answers (and, heaven forbid, an actual apology) from Facebook is if we keep talking about it.


If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Facebook suffers a data breach about how it’s hoping to stop the media talking about its last data breach”

  1. Jim

    Followed by another swift data breach by a pissed off security researcher, for good measure.

    https://interestingengineering.com/new-hack-tool-links-facebook-accounts-to-private-emails

  2. Alfonso

    Fakebook with Scheisseberg at the helm is a criminal organization. PERIOD!

  3. Ana

    Facebook has been suffering from these problems for some time ago. I start thinking they don't follow reasonable security measures, something terrible,
    They should pay some bill or anything. Like, they suffer from it and then pretend to hide it.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.