Luxembourg's National Commission for Data Protection (Commission Nationale pour la Protection des Données – CNPD) has issued a statement offering clarification over a Facebook leak which reportedly involves over 188,000 Luxembourg accounts.

Following the publication of several press articles on a data leak affecting 533 million Facebook accounts worldwide, including a large number of Luxembourg accounts, the CNPD said it wished to provide details and advice.

In application of the system of cooperation between supervisory authorities provided for by the General Data Protection Regulation (GDPR), the CNPD is in contact with the Irish supervisory authority, the Data Protection Commission (DPC), which acts as the lead authority for Facebook cases as the company is headquartered in Ireland. The DPC confirmed that it has prioritised the handling of this matter and that it is sharing the information obtained with its European counterparts.

At the current stage of analyses, according to the CNPD, the basic assumption is that the disclosed data resulted from a data breach that took place between June 2017 and April 2018. The vulnerability that was at the origin of this leak has since been addressed.

The CNPD warned that the current situation once again demonstrated the importance of proceeding with caution when posting information on social media, as well as the impact over time that such a data breach can have.

At present, the CNPD recommends that Facebook users take the following actions:

  • assume that your account is more likely to be affected than not;
  • check as far as possible what potentially sensitive or intimate information about you is / was publicly accessible, both now and back in 2018;
  • be particularly aware of potential phishing attacks where someone refers to this information to ask you for more information, particularly passwords, mobile phone numbers and email addresses;
  • do not follow an external link to log into your Facebook account;
  • do not hesitate to contact the Facebook service directly as soon as you suspect questionable activity on your account.
  • in general, do not use a password for your Facebook account that you also use for other services, particularly for your email account.