What information was breached on Facebook

Are you concerned? Use your chance to claim damages - this is how WBS can help you!


On the Easter weekend, many Facebook users were surprised by worrying news. In a hacker forum, 533 million data from Facebook users emerged. 6 million users from Germany are said to be among those affected. The data consists of full user names, dates of birth, e-mail addresses, telephone numbers and also personal information such as the relationship status. Are you also affected by the Facebook data leak? Then get in touch with us. The WBS law firm will be happy to advise you on the next possible legal steps.

A report by the IT security company Hudson Rock stirred up politics, society and the media at the beginning of April. Around 533 million Facebook user data is circulating in a hacker forum. This includes full user names, dates of birth, email addresses, telephone numbers and sometimes the relationship status.

What happened? Telephone numbers of 420 million users had already appeared on the network in 2019. The hackers had misused a function to search for Facebook friends to access data. They accessed the data using what is known as scraping. Scraping refers to the automated, mass retrieval of publicly available data. In the specific case, the method worked like this: It is well known that the telephone numbers of Facebook users are not publicly available. The perpetrators therefore generated hundreds of millions of random phone numbers. Using a friend search tool, they compared the mobile phone numbers with the data of numerous Facebook users. If there was a phone number in the Facebook database that matched the randomly generated number, Facebook played back the data of the respective alleged friend. This made it clear to the fraudsters which cell phone number belonged to whom.

According to Facebook, the 533 million user data that can currently be found in hacker forums can still be traced back to this data leak. Irish privacy advocates may see even more in the leak: According to their message, the current leak appears to contain the records from earlier. However, it is possible that the data records have been supplemented with further information that could come from a later period.

How WBS can help you

Our experienced team of lawyers in data protection law will be happy to advise you on your claims and options for action. Do not hesitate to contact us. Simply fill out the following form. With us, the initial consultation is of course FREE OF CHARGE!


P.S .: If the above checker does not work, you can also use our alternative here.

What are the dangers for those affected?

For those affected, the leak poses a particular danger: Due to the published email addresses and telephone numbers, there is currently an increased volume of fraudulent spam messages. So-called smishing text messages containing fake package notifications are particularly common. However, if you call up the link in the SMS, you will be redirected to a malware page.

Often such messages are not particularly credible on closer inspection. But that too can change due to the abundance of data in the leaked information. Because with the knowledge of birthday, occupation, place of residence and other personal information that can be inferred from a Facebook profile, the messages - whether smishing SMS or phishing emails - can be made more and more authentic and thus available to those affected be in great danger.

Does Facebook have to stick?

Judgments on fines in the event of data breaches have caused a stir at least since the GDPR came into force. A fine of 7 million euros was recently imposed on Facebook itself! This is because they do not sufficiently clarify in their data protection regulations how the user data is used internally.

In the case of data protection violations that are not primarily the responsibility of the group, things are a little different. In cases in which a hacker attack or scraping takes place from outside, Facebook is first of all obliged to report the occurrence immediately to the responsible data protection supervisory authority and to close the leak. You can only be fined if you fail to comply with this obligation.

In principle, in the event of a data breach, a data processor also has the duty, subject to a fine, to inform those affected. Whether Facebook has to inform the affected users of the data breach depends on Art. 34 GDPR. In Art. 34 GDPR it is provided that data subjects are to be informed of the violation by those responsible "immediately". However, this only applies if the violation "is likely to pose a high risk to personal rights and freedoms". The duty to provide information is also excluded if Facebook has immediately taken measures to restore the security of the data. It will now have to be examined whether the requirements of Art. 34 are met. Facebook has already talked out of its reporting obligations by saying that it made improvements immediately after the first publication of data in 2019.

Irish Data Protection Commission investigations

The Irish Data Protection Commission wants to investigate, however, to determine whether Facebook has actually complied with its control and reporting obligations. On April 14, 2021, she published the following public statement (translated from English):

The Data Protection Commission (DPC) today launched an investigation under Section 110 of the Data Protection Act 2018, on its own initiative, into several international media reports that emphasized that a collected data set of personal data from Facebook users online has been made available. This dataset reportedly contained personally identifiable information from approximately 533 million Facebook users worldwide. The Data Protection Commission has contacted Facebook Ireland regarding this issue and asked questions about compliance with the General Data Protection Regulation, to which Facebook Ireland has provided a number of responses.

After examining the information so far provided by Facebook Ireland on this matter, the Data Protection Commission is of the opinion that one or more provisions of the GDPR and / or the Data Protection Act 2018 relating to the personal data of Facebook users may have been violated and / or become.

Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations as data controller in relation to the processing of its users' personal data through the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer functions of its service, or whether one or more Provisions of the GDPR and / or the Data Protection Act 2018 have been and / or will be violated by Facebook in this regard.

How WBS can help you!

On the basis of Art. 15 GDPR, users can request information from Facebook as to whether they are affected by the data leak. If Facebook does not provide any or incomplete information, this can result in a claim for damages in your favor under Art. 82 GDPR. In addition, further breaches of duty by Facebook in connection with the data leak come into consideration, which may result in claims for damages.

Most recently, German courts have granted plaintiffs high claims for damages under Art. 82 GDPR in the event of GDPR violations. The norm is increasingly being interpreted very broadly by case law. In some cases, the courts also argue that the damages due to the plaintiffs must have a deterrent effect and must therefore reach a dissuasive level.

In the following cases, courts have granted high amounts of damages in proceedings on similar issues under data protection law:

Damaged parties could therefore regularly assert claims for damages in the four-digit range. Of course, the success of your claim for damages and the exact amount of your individual claim for damages as a result of the Facebook data breach always depends on the individual case. However, we will try everything to achieve the best possible result for you.

Our experienced team of lawyers in data protection law will be happy to advise you on your claims and options for action. Do not hesitate to contact us. Call us at 0221/951 563 0 (advice nationwide) at.