June 2020 - Facebook engineers found a problem that allowed third-party developers to access Facebook users' personal data. This data was not something third-party developers should have been able to access. Once the discovery was made, the problem was fixed. However, despite a new policy Facebook implemented to address the Cambridge Analytica scandal of 2018, which only allows developers a 90-day view of customer data after the user engages with the developer's app, thousand of developers could still see the personal information of inactive users if those inactive users were "friends" with an active user.
December 2019 - The private information from 267 million Facebook accounts was discovered on an unprotected database on the dark web by a U.K.-based security researcher. It's believed this data was left exposed for nearly two weeks. The data included names, phone numbers, and Facebook user IDs. Later on, in March of 2020, another cache was found with the data of 42 million more users totaling 309 million.
It's believed the culprits were a criminal group of hackers based in Vietnam. Experts think the hackers either abused the Facebook API or got the data through illegal scraping. In April 2020, the collective data was found for sale again on the dark web.
September 2019 - An unsecured server was found housing the personal information of 419 million Facebook users. Since the server was publicly accessible, anyone could potentially see a user's Facebook ID and phone number. In some instances, the user's gender, country, and user's name were exposed. The server was not a Facebook server and was taken down, yet no one knows who scraped the data.
July 2019 - In 2011, Facebook was investigated by the Federal Trade Commission (FTC) for privacy violations. In response, a settlement was reached. However, in 2019, Facebook was found to have not abided by the 2011 terms of the settlement, so the company was reinvestigated and given a $5 billion penalty. It was the FTC's most significant penalty ever imposed to get Facebook to change its approach to privacy concerns and thwart future violations.
April 2019 - Without gaining permission, between May 2016 and 2019, Facebook imported all new users' email contacts as part of signing up for an account on the platform. When the new user was in the process of creating an account, they had to input their email address. Facebook then had the new user input their email password as part of a verification measure. The user was not asked if Facebook could import their email contacts, nor did the user have the ability to stop the process. This happened to 1.5 million new platform users. The email contact data was used to improve ad targeting and recommend friends to new users.
April 2019 - The data of 540 million Facebook users, including account names, Facebook IDs, comments, likes, reactions, and more, was found by an UpGuard security firm researcher on an Amazon cloud public server. The data was accessible to anyone on the Internet. The data, those app developers captured, was improperly stored, and even though UpGuard notified the server hosting company of the situation, no action was taken until Facebook was made aware. Although Facebook had no direct responsibility for storing this data, it has repeatedly broken its promise not to share users' data with outside companies.
March 2019 - It was found that 2,000 Facebook employees had access to 600 million users' passwords. The passwords dating back to 2012 were stored in plaintext files that any employee could access. Later, it was found that millions of Instagram users' passwords were similarly stored. Facebook owns Instagram.
December 2018 - A New York Times article revealed that Facebook once again violated users' privacy and went back on its promise to the FTC that it would not share user data without a user's explicit permission. Facebook defended this breach by stating it had shared the data with parties it considered as an extension of Facebook itself. This excuse held little water since some of these companies included Netflix and Spotify, which are obviously not a part of Facebook. Some of the data received by over 150 companies even had users' private messages.
September 2018 - Facebook has a feature known as "view as," which allows users to view their profile as someone else would see it. A problem with the code that enabled this action gave hackers a way to steal a user's access token, which they could use to see private information. This issue went unnoticed for a year and impacted 50 to 90 million users.
May 2018 - A Facebook user has control over who can view their posts and profile. If they share a post and only want a select number of friends or followers to see it, they can generally control it. However, a Facebook bug that was part of a new feature undergoing testing caused a glitch in privacy settings. Consequently, 14 million users' private posts were made public without knowledge or consent. Although the bug was identified quickly, the issue wasn't resolved for nine days.
March 2018 - Cambridge Analytica, a political consulting firm, exploited a loophole in Facebook's API, which allowed it to compile data on not only user's that downloaded their app, but all the user's friends too. Developers are forbidden to market or sell this kind of data, yet that's what Cambridge Analytica did for years with Facebook's knowledge.
Facebook was silent about this data breach until a former employee of Cambridge Analytica gave two interviews to The Guardian and The New York Times. The intense scrutiny in the media forced Facebook to apologize, and Mark Zuckerberg ended up having to testify before Congress. The FTC fined Facebook $5 billion due to its privacy violations. It's believed the data breach affected 87 million users.