Facebook said a recently reported data leak affecting potentially 530 million users stemmed from a misuse of a feature in 2019 and that the company had plugged the hole after identifying the problem at the time.
Business Insider reported last week that phone numbers and other details from user profiles were available in a public database.
Facebook said “malicious actors” had obtained the data prior to September 2019 by “scraping” profiles using a vulnerability in the social media service’s tool to sync contacts.
“This feature was designed to help people easily find their friends to connect with on our services using their contact lists,” Facebook said in a blog post.
“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer.
“In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users.
“Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles.”
It added that the scraped data “did not include financial information, health information or passwords.”
The company said it identified the issue at the time and modified the tool.
“As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” Facebook said.
Additional reporting by iTnews.