On 3 April the Business Insider reported that personal data of 533 million Facebook users were published for free on a low-level hacker forum. The data includes personal information of Facebook users, such as phone numbers, IDs, names, birthdates, location, and others. The affected users are from 106 countries. According to Facebook, the data in question was scraped from Facebook user profiles by malicious actors using Facebook contact importer tool prior to September 2019. Facebook stated that the data breach is old, it was acknowledged at the time and the vulnerability has been patched, and does not intend to notify the affected users.
In response to the news, the Irish Data Protection Commission is launching a probe into the leak to establish whether the dataset referred to is the same as that reported in 2019. It also aims to establish whether the leak of personal information of EU users is within the scope of the General Data Protection Regulation (GDPR) requiring a notification within 72 hours of the breach to the relevant regulator.
According to Politico, Hamburg data regulator overseeing Facebook in Germany and the UK Information Commissioner's Office are aware of the reports and will be looking into them as well.
Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) has requested that Facebook explains how the personal data of Russian users was leaked, including reasons for non-compliance with Russian data localisation laws.
In Brazil, Procon-SP Consumer Protection and Defense Foundation, a government agency, has requested Facebook to explain the reasons for the leak of personal information of 8 million Brazilian users.
Turkey's Personal Data Protection Authority has launched a direct investigation into the leak as well.
The leak may also constitute a breach of Facebook's July 2019 settlement with the US Federal Trade Commission over Cambridge Analytica, which requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident.