Facebook knows that these kind of "leaks" will never subside since the main issue boils down to the fact that internally, Facebook essentially considers phone numbers and emails non-private data.
They have such a dense branching network of advertisers and auxiliary services which have easy access to this kind of identifying data that I can't see how Facebook can conduct their same kind of grey area dealings without leaking this stuff all over the place.
This, I think is the bigger story: "Facebook has been under fire not just for providing the means for these massive collections of data, but also the way it actively tries to promote the idea they pose minimal harm to Facebook users. An email Facebook inadvertently sent to a reporter at the Dutch publication DataNews instructed public relations people to "frame this as a broad industry issue and normalize the fact that this activity happens regularly." Facebook has also made the distinction between scraping and hacks or breaches."
Facebook are incompetent to protect the data they've collected, so they want you accept criminal misuse of it.
This story about linking 5m emails to accounts breaks on the same day as:
"Facebook wants to 'normalize' the mass scraping of personal data (vice.com)" - which is also bouncing first page and second on HN today (https://news.ycombinator.com/item?id=26879315
If these two are not related it's an amazing coincidence.
What are current best practices for large B2C apps like FB, regarding storage of prior values that are replaced by the user? Specifically in relation to key account information (email / phone / 2FA ).
Are prior entries effectively wiped... or stored ?
And was such practice always in place, or when did it change?
FB is an advertising firm, and the identifiability of their audience is a major value driver of their ad inventory[1]. They explicitly leverage the PII stored on their consumer users to enable advertising offerings such as Custom Audiences[2][3][4] and Advanced Matching[5][6].
Best practice for any B2C app like FB would be to retain those prior values indefinitely, since prior values still provide valid utility for their advertising services as additional data points for matching.
That likely differs from best practices for large B2C apps that aren't like Facebook and don't have similar incentives for indefinite data retention.
Facebook doesn’t care about GDPR or laws for that matter. It’s still profitable to do this and get slapped with some minor fine and some insincere apology.
We have seen it now dozens of times.
It's not really an option these days, most services _require_ a phone number and for some reason that is completely unknown to me, a phone number is considered as secure as a password or email address - despite sim jacking and generally losing access to your number when changing contract being very known problems.
You could use a fake phone number service, but ultimately somebody else could just use this to login to your account. You also can't guarantee you are able to use that phone number again when you need to get back in.
The only real option is to not use the service at all, which is easier said than done when your family, friends and even employers use (and require you to use) the service.
Define "services". In the last decade I have signed up for exactly 1 service that required a phone number (Telegram), and somewhere in the region of 8,000 that didn't.
As echoed by 3np, most things I need to use (banking, social media, chat apps, video tools, etc, etc) require a phone number. I'm glad it's still possible for some people to live their lives without this requirement, but it's getting worse and I suspect these days are numbered (pun intended).
In the last few years there had been a wave of new regislation around Europe requiring phone number to be associated with personal identity number, otherwise existing numbers were deactivated. Simultanously various services (including banks) started to require phone number to create new accounts and for existing accounts to increase "security".
Agreed. For Facebook I use a single-purpose email address that I don't check (but can) and voip/app telephone # that isn't connected to my real telephone. And I've never regretted it.
Services like facebook seem "too big to fail", don't you think?
It almost seems like those online services should be nationalized, or at least be very thoroughly regulated when they have more than 100k users.
I mean what is the difference between a surveillance network and facebook? None. Which is why it should be regulated or controlled by a state body that can be accountable to voters.
In a way, it can easily be argued that facebook is a "front" so that the government can spy on people. As long as libertarians argue that it should not be part of the government...
They have such a dense branching network of advertisers and auxiliary services which have easy access to this kind of identifying data that I can't see how Facebook can conduct their same kind of grey area dealings without leaking this stuff all over the place.