Cyber Breach Event

In April 2021, Facebook, the largest social media platform, lost the private data of about 533 million Facebook users. Personal details, including phone numbers and names, including 32 million users in the US, 6 million users in India, and 11 million users in the UK, were leaked into an online forum (Holmes, 2021). The data breach also leaked 2.5 million email addresses tied to users’ profiles. The hackers exploited Facebook’s contact importer, a feature that allows users to find friends on Facebook by simply importing their contacts. However, the breach was not treated with urgency, leading to backlash from the cybersecurity community and privacy laws regulatory authorities.

Threat Source

Facebook’s data breach resulted from hackers using a malware attack. According to Sahoo and Gupta (2019), malware attacks involve the infiltration of target systems and the collection of sensitive data. Hackers use worms and malware that uses software vulnerabilities to access an operating system. In this scenario, the hackers utilized a vulnerability created by the company in 2019. Initially, in 2018, Facebook users could find their friends on Facebook using their contacts. However, after the Cambridge Analytica scandal, Facebook shut down the contact importer features after realizing that the feature exposed Facebook users to data scraping. The hackers exploited Facebook’s dependence on contact importers to access users’ private data. The threat source affects various assertions, including confidentiality, integrity, and availability. Confidentiality entails protecting sensitive data from unauthorized access by enforcing access control measures such as file encryption (Alazab et al., 2021). Scraping the data violated users’ confidentiality by accessing users ‘private information. Integrity entails protecting data from deletion and modification by unauthorized parties. The integrity assertion was not violated in this scenario since the users did not change or delete any data. Availability ensures data is available when needed. The data scrapers ensured that users could still use their Facebook data.


Type of Threat source

The type of threat source in the Facebook breach was hacktivists. Hacktivists refer to an organized group of criminals aiming at carrying out cyber-attacks to support political causes (Karagiannopoulos, 2021). The hackers in the scenario targeted using personal information to impersonate Facebook users, scam, or hack their Facebook accounts. The hackers could have used bot tools to scrape data.


Facebook’s contacts importer features show high susceptibility to external attacks. The system exposed user profiles to a hacker attack. In 2019, Facebook claimed they had identified and fixed the vulnerability. However, since most people do not change their phone numbers more often, it increases the susceptibility that the hackers could utilize the vulnerability to attack the Facebook system. The hackers have a high capability to attack the system by utilizing Facebook’s legitimate functions. The hackers could access the data using techniques that automate the process of data scraping.   The more information users upload on their profiles, the higher the chance hackers could impersonate users and scam their friends with actions requiring them to download suspicious malware.

Controls Absent

The Facebook system lacks access controls for protecting users’ confidentiality. Access controls ensure the protection of sensitive data (Alazab et al., 2021). Facebook users share a huge amount of private data, and access controls are important to ensure the confidentiality of this data. Lack of access control made users’ information visible to others and would make it for hackers to share posts with friends. Facebook also lacks data encryption controls to protect the availability of users’ data. The system also lacked organizational-based controls to prevent hackers from accessing the organizational database.


Alazab, M., RM, S. P., Parimala, M., Reddy, P., Gadekallu, T. R., & Pham, Q. V. (2021). Federated learning for cybersecurity: concepts, challenges and future directions. IEEE Transactions on Industrial Informatics.

Holmes, A. (2021). 533 million Facebook users’ phone numbers and personal data have been leaked online. Business Insider Africa. Retrieved 10 April 2022, from

Karagiannopoulos, V. (2021). A Short History of Hacktivism: Its Past and Present and What Can We Learn from It. In Rethinking Cybercrime (pp. 63-86). Palgrave Macmillan, Cham.