Facebook says that a vast trove of personal information of more than 533 million users, uploaded freely to the internet, was harvested as part of a feature gone wrong.
The data was not stolen in a hack but instead through malicious users of its “contact importer,” Facebook said in a new blog post.
Mike Clark, product management director at Facebook, explained the company believes the data was “scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019.”
Though that feature was intended to allow people to upload their contacts from their phone to Facebook and find people they might know, malicious actors were able to use it to scrape the personal information of people who were already on the platform.
But Clark said Facebook updated it in 2019 to prevent hackers from scraping users’ phone numbers.
“As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” he added.
Facebook said that the information “did not include financial information, health information or passwords.”
Facebook has become accustomed to dealing with multiple massive privacy breaches in recent years, and data belonging to hundreds of millions of its users has been leaked or stolen by hackers.