A reputable website now lets you check whether your mobile number is part of the 1.5m Irish records caught up in the latest Facebook data leak.
Irish Facebook users caught up in the leak of over a million mobile numbers can now check whether their number is affected.
The website haveibeenpwned.com has updated its system to include searches by mobile numbers.
Users can input their numbers using the country code and full mobile number, without the ‘zero’ prefix.
A typical search would be inputted as 353871234567.
The reputable site, run by the respected IT security researcher Troy Hunt, also lets people check whether their email addresses have been part of any large data breach in recent years.
Meanwhile, the Irish Data Protection Commission has criticised Facebook for a lack of communication over how and when the global dataset of 530m Facebook accounts— including up to 1.5m Irish accounts—came to be leaked and shared.
The watchdog said that its efforts at getting an answer from Facebook about the matter have been met with a tepid response.
“The DPC attempted over the weekend to establish the full facts and is continuing to do so. It received no proactive communication from Facebook. Through a number of channels, it sought contact and answers from Facebook,” said a spokesperson for the Irish DPC.
Facebook Ireland today responded to queries about the leak with a two-sentence statement.
"This is old data that was previously reported on in 2019,” a spokesperson told Independent.ie. “We found and fixed this issue in August 2019.”
However, it gave a slightly longer response to the DPC, according to a statement from the Irish regulator.
“Based on our investigation to date, we believe that the information in the data-set released this weekend was publicly available and scraped prior to changes made to the platform in 2018 and 2019,” Facebook told the regulator, as quoted by the Irish DPC. “As I am sure you can appreciate, the data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information.”
The Irish regulator is now warning of risks around spam and security.
“Risks arise for users who may be spammed for marketing purposes but equally users need to be vigilant in relation to any services they use that require authentication using a person’s phone number or email address in case third parties are attempting to gain access,” its statement says.
However, on the question of whether punitive action will follow, the DPC hinted that the behaviour may have occurred before the introduction of the GDPR.
“Much of the data appears to been data scraped some time ago from Facebook public profiles,” the DPC says.
“Previous datasets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone lookup functionality. Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.”