Facebook didn't notify the more than half a billion users whose details were obtained through the illegal use of a feature before 2019 and recently disclosed in a database, Reuters reported on Thursday.
A Facebook spokesperson said Wednesday they don't currently have plans to notify the affected users as the social media company wasn't confident it had full visibility on which users would need to be notified.
The personal information reemerged on a hacker website for free on Saturday, Bloomberg reported.
Some of the leaked data included email addresses, phone numbers, full names, Facebook IDs, location information, birth dates, relationship status, and bios.
Facebook said the leaked data was previously reported on in 2019 and that its software engineers patched the underlying vulnerability in August of that year.
But according to reports, the data -- which first appeared on the criminal dark net in 2019 -- originated from a breach that Facebook did not reveal at the time and only fully acknowledged Tuesday evening in a blog post attributed to Mike Clark, Facebook product management chief.
"Malicious actors" had obtained the data in a "large-scale scraping" of profiles through a vulnerability in the platform's tool for synching contacts, Facebook said.
The scraped information didn't include financial or health information or even passwords, Facebook said.
Data sets that find their way into criminal forums are usually mashed together, recombined, and sold off in different batches, which can account for variations in their exact size and scope, Wired said.
Facebook's top privacy regulator in the European Union, the Irish Data Protection Commission, said it is trying to "establish the full facts" since the weekend and so far "received no proactive" response from Facebook," Bloomberg reported.
Alon Gal, the chief technology officer of cybercrime intelligence company Hudson Rock, said it's almost certain hackers will use the leaked data for online fraud, including "social engineering" attacks.