Facebook data for 533 million users leaked in 2019. It’s still out there.

A two-year-old problem is coming back to haunt Facebook in 2021, and in the process serving as a reminder to users that personal data, once leaked, really is out there forever.

It started on Saturday when Alon Gal, co-founder and CTO of Hudson Rock, a “cybercrime intelligence” firm, took to Twitter with a thread detailing how “533,000,000 Facebook records were just leaked for free.” That number includes more than 32 million U.S. users alone, and spans 106 countries in total.

A subsequent report from Insider, which reviewed the data firsthand, confirmed — using several methods — that the data, or at least the sampling that was pulled for a closer look, was legit. A Facebook spokesperson subsequently confirmed to the site that the user info actually comes from a 2019 data leak, and the method used to obtain the information has long since been patched. That’s what a spokesperson told Mashable as well.

“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” the brief statement reads.

That may be true, but it doesn’t mean there’s nothing to see here. A Washington Post report notes that the leaked database that’s been floating around for two years now has been put up for sale multiple times, at increasingly lower prices. The Saturday discovery, that a user on a hacking forum was offering the whole thing for free, means there’s no longer even a financial bar preventing anyone from digging into private user data; just a willingness to contact a hacker on Telegram.

Facebook understandably wants to keep the focus on the age of the material, since it’s been out there for a while. And that’s fair. The company did move to fix the vulnerability after it was discovered, as it has at other times in the past. That’s a win Facebook can tout.

But that’s not really the issue here, is it? The fact is, the sudden resurfacing of this leaked user database arrives as an unpleasant reminder that such data dumps are effectively permanent. Sure, users can change emails, phone numbers, and the like. But places of residence? Full names? Birthdays? These are trickier to change, if they can be changed at all.

The worst part of it all is, there’s really nothing you can do if you’ve been the victim of a leak, whether it’s this one or another one. But it’s still a good moment to reflect on the things we can do to protect ourselves.

You don’t have to trust a social network with your actual birthday, full legal name, or other personal details that could be used to cause harm in the wrong hands. In fact, cases like this make the strong argument that you absolutely shouldn’t entrust that information to these sites. 

The larger takeaway, of course, is that all the personal information you’re asked to share when you sign up for one of these websites has actual, tangible value. It’s not news that user data is a key piece of Facebook’s business. A lot of that comes from user behavior: What you do on the site, the things you search for, the ways you interact.

Plenty of it also comes from the info that’s more important to you personally, though. Your age, location, and other personal details can be used to sort you into different buckets of interest. It’s how a site like Facebook tailors the user experience to each individual. But it’s also how users suddenly find themselves exposed when security breaches occur.

So yes, in one sense Facebook is correct that this is old news. But don’t make the mistake of leaping from there to “…so it doesn’t really matter anymore.” It does. For 533 million Facebook users, it’s been two years with their birthdays, emails, and full names floating around that whole time, and now it’s easier than ever for anyone to get their hands on it all.