Skip to content

Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Image: Niall Carson/PA Wire/PA Images

Tens of thousands of Irish users' emails and phone numbers were exposed in last year's Facebook hack

Confidential emails from the social networking giant reveal the local fallout of the September attack.
May 19th 2019, 12:15 AM 16,988 26

TENS OF THOUSAND of Facebook users in Ireland had private information like their phone numbers and emails exposed in a major hack last year, confidential correspondence from the social networking giant shows.

The total included more than 20,000 users who had both their contact details and other sensitive data like their birth dates and locations accessed by hackers.

The figures were included in an email to the communications minister, Richard Bruton, in the wake of the damaging security breach – which will be a major test case for the Irish Data Protection Commission’s enforcement of strict new EU data protection rules.

Facebook has not publicly shared a breakdown of how many users in Ireland were affected by the hack, which involved attackers stealing ‘access tokens’ for around 30 million accounts worldwide over a two-week period from 14 to 27 September.

The company later disclosed that around 10% of the accounts affected were believed to belong to EU-based users.

However in a message a few weeks after the hack to the minister, Facebook’s head of public policy for Ireland, Niamh Sweeney, revealed further details about the impact of the hack on the company’s local user base.

She disclosed that more than 42,000 users in Ireland had their details compromised in the breach.

The figure included:

  • 416 whose profiles, including lists of recent Messenger conversations, were fully exposed to the hackers;
  • 22,381 whose name and contact details were accessed;
  • 20,448 whose recent searches, locations and birth dates, in addition to their contact details and other personal information, were compromised.

The hackers were unable to read the private messages of those whose profiles were fully exposed, Facebook said, although the attackers would be able to see private messages sent to pages administered by members of that group.

We would be grateful if you could keep the numbers I’ve shard (sic) above confidential as we continue to work on this analysis,” Sweeney wrote in the email, which was obtained by

CA: F8 2019 Facebook Developer Conference Facebook CEO Mark Zuckerberg Source: SIPA USA/PA Images

A security weakness

Hackers exploited a weakness in Facebook’s code to carry out the attack, stealing tokens – which are normally used to allow people to remain logged into their accounts – that enabled them to effectively take over people’s accounts.

Speaking after Facebook first revealed details of the worldwide breach, CEO Mark Zuckerberg described it as a “really serious security issue”.

The company said it would notify the affected account-holders.

It has not been revealed who was behind the attack or what, if any, use was made of the compromised data.

The Data Protection Commission has since opened three separate statutory inquiries into whether Facebook had breached EU rules governing the handling of data after it was notified of the hack.

The commission, which acts as the defacto European watchdog for many major tech companies’ data practices due to firms like Facebook’s regional bases in Ireland, has the power to levy fines of up to 4% of a company’s yearly revenue under GDPR provisions.

In the case of Facebook, the penalty could potentially stretch to more than €1 billion – although any actual fines are likely to be much less than the maximum figure.

A commission spokeswoman said inquiries into the Facebook hack were “at an advanced stage”. It is currently conducting another five, unrelated investigations into the social network.

Know more about this story? Email the author via or send a message using the secure Threema app, ID: ESUCBYMK.

Send a tip to the author

Peter Bodkin


This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a comment

    cancel reply
    Back to top