Meta is no stranger to data breaches. The company has a long history with hackers, from a 3-million user leak in 2018 to a 50-million account information leak in the same year. The tech giant has only seen bigger data breaches as time goes on. 

Last week, reports surfaced that almost 500 million WhatsApp users’ data had been leaked. WhatsApp has since rubbished the rumours, stating that they are based on “unsubstantiated screenshots”, but a cursory glance at the forum post shows that the hacker used scraping to harvest the said data. 

Read: Google Bypasses Privacy, Puts Users’ Data on the Map

Meta has long been criticised for not taking adequate action against scraping of user data. Not only have they had a cavalier attitude towards the protection of user data in the past—evident in their practice of storing user passwords in plaintext—but their company policy on data breaches caused by scraping is to not comment on the matter at all. 

Nearly 25% of WhatsApp’s users were exposed 

On November 16, an ad was posted on a well-known hacking forum, reportedly selling the information of 478 million WhatsApp users’ mobile numbers. This breach includes information from around 84 countries, with over 6 million Indian users’ data included in the database. 

The hacker also mentioned in the forum post title that they have extracted the data through scraping. Scraping is a method in which large amounts of data is extracted from websites, usually in violation of the terms of service of said website. 

The scraped data comprises the mobile numbers of active users on the platform, with the total number of affected users coming close to 478 million. This information can be used by malicious actors to engage in phishing attacks. 

Some of the hardest hit countries by this breach include Egypt, with 44 million users affected, Italy, which had 35 million users’ data harvested, and the USA, with 32 million users hit. The agent who scraped the data has been selling it for a high price. The US dataset’s price has been set at $7000, with the UK and Germany datasets priced close behind at $2500 and $2000, respectively. 

While WhatsApp has touted its privacy features like end-to-end encryption, it is clear that the data philosophy of the messaging service has to be rethought to prevent such breaches. However, there is a far more sinister reason for Meta to not revamp their services to offer better data privacy for their users.  

Meta’s data breaches

In 2016, a company called Cambridge Analytica saw the value in the large amount of user information on the site, and created an app to scrape the data. This data was then infamously used to aid the presidential election campaign of Donald Trump. While this triggered widespread outrage and led to many regulatory outcomes, it seems Meta has yet to learn its lesson. 

In 2019, the company was caught storing 600 million Facebook and Instagram users’ passwords in plaintext files. These passwords were not encrypted in any way, with over 2000 Facebook employees having access to this database. The company stated that the passwords were not compromised in any way, but it provided an important insight into how the company approached data security. 

Read: Square the Circle: Apple’s Privacy Play Lands It in Trouble… Again

Scraping is still being used by malicious actors today. Earlier this year, Meta notified its users of close to 400 malicious applications that scrape data, with no information on how many accounts had been affected in this breach. 

What’s Meta doing?

Meta has recognised this trend, but has failed to act on it so far. Even after setting up an external data misuse team with over 100 people, these incidents still continue to happen. Meta’s explanation is that it is difficult to differentiate normal users from scrapers, as they try to “blend in” with users.

In reality, they seem to wish to cover up these breaches and continue business as usual, as evidenced by a leaked memo sent out in late 2021. In this internal email, Meta has stated that they can expect a “steady drumbeat of criticism” from the press whenever a data breach occurs. 

They have also clarified their position on the matter, stating that they “expect more scraping incidents” and that they should frame it as a “broad industry issue” and as something that “happens regularly”. The company has also identified the fact that these news stories die down quickly, absolving them of the responsibility of giving statements of accountability on the matter. 

In a statement, Meta said, “We understand people’s concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it.”

The company claims that it does its best to prevent the harvested data from being misused, but the way its platforms are built easily facilitate scraping. This bug cannot be reworked or fixed, as it is also integral to the way Facebook runs operations. 

When looking at the trend, it is clear to see that Meta does not spare a second thought about the effects of collating such a large amount of user information in one place. Moreover, their risky security practices puts nearly a billion users’ information at risk. Getting access to this harvested data is the first step for malicious actors to then make further contact with individuals so as to engage in hacking them, scamming them, or engaging in identity theft. The larger the amount of information contained in a data breach, the more people will be affected by such malicious activities.

Regulators have caught up to the game that Meta is playing, with the company having to pay millions of dollars and euros in fines over the last few years due to non-compliance. Meta’s attitude of ignoring these scandals until they go away or denying accusations is not likely to last. However, until then, users of their products must be cautious about any possible malicious activity launched unbeknownst to them due to Meta’s carelessness.