My Facebook Was Breached by Cambridge Analytica. Was Yours?

How to find out if you are one of the 87 million victims

Cardboard cutouts of Mark Zuckerberg's face dominate the foreground, while the dome of the U.S. Capitol looms in the background.
Life-size cutouts of Facebook CEO Mark Zuckerberg are displayed by a progressive advocacy group on the lawn of the U.S. Capitol on Tuesday. (Carolyn Kaster / Reuters)

Facebook has begun to notify users who were affected by the Cambridge Analytica data breach. If you or one of your friends installed the personality-quiz app “This Is Your Digital Life” prior to 2015, then some of your data illicitly made it to the servers of the voter-profiling company.

If your data was ensnared in the breach, you’re not alone. I’m also one of Cambridge Analytica’s victims. (If you’re not sure whether you were affected, you can go to this Facebook page, which will tell you if your information was shared.)

I know I was affected by the breach because I saw a big text box when I opened the Facebook app on my phone this morning. Under a bolded headline reading “Protecting Your Information,” the notice read:

We understand the importance of keeping your data safe.

We have banned the app “This Is Your Digital Life,” which one of your friends used Facebook to log into. We did this because the app may have misused some of your Facebook information by sharing it with a company called Cambridge Analytica. In most cases, the information was limited to public profile, Page likes, birthday, and current city.

You can learn more about what happened and how you can remove apps and websites anytime if you no longer want them to have access to your Facebook information.

There is more work to do, but we are committed to confronting abuse and to putting you in control of your privacy.

Contrary to some media reports, the message did not appear in the app’s “Notification” pane. The notice appeared only once: When I closed the app and reopened it, it disappeared.

Last week, Facebook revised its estimate of the size of the breach, saying that it affected about 87 million people. The company had originally estimated that only about 50 million people were affected. According to The Intercept, Cambridge Analytica used that harvested data to make about 30 million “psychographic” profiles of voters in total.

While Facebook says that most users only had their public profile and a few other pieces of data disclosed to Cambridge Analytica, its notice suggests that the company does not know which users had more significant information, such as private status messages or wall posts, sucked up during the lapse.

“A small number of people who logged into ‘This Is Your Digital Life’ also shared their own News Feed, timeline, posts, and messages, which may have included posts and messages from you. They may also have shared your hometown,” says Facebook’s help page for victims of the breach.

There is not much you can do if you were affected by the breach—your data, after all, has already left Facebook’s control. Mark Zuckerberg, the company’s chief executive, is testifying to the Senate Judiciary and Commerce Committees at 2:15 p.m. on Tuesday in response to questions about this leak, larger privacy issues, and the platform’s role in the 2016 election.

Lawyers in the United States and the United Kingdom have also launched a pair of class-action lawsuits against Facebook, Cambridge Analytica, and two other companies involved in the breach.

Last week, in an interview with Zuckerberg, I asked him what he wanted Facebook users to know about the Cambridge Analytica scandal.

“Overall, this is a big breach of trust, and I’m sorry that it happened,” he told me.

“The most important thing is to make sure that this doesn’t happen again going forward. So we’re taking a number of steps. We’re investigating every single app that had access to this data. We’re going to do audits on anyone who we find is doing something suspicious, and we’re going to tell people about that. We’ve taken steps to lock down the platform in the past, and we’re continuing to do that to just make sure it can’t happen again,” he said.

If you’re having trouble understanding the Cambridge Analytica debacle, I wrote a brief summary of the story last month. In short, the voter-profiling firm harvested Facebook user data through “This Is Your Digital Life,” a third-party app that appeared to be a personality quiz. Cambridge Analytica later used this data to inform purchases made during the Brexit “Leave” campaign, Senator Ted Cruz’s campaign in the 2016 presidential primary, and President Trump’s campaign during the 2016 general election.

Cambridge Analytica’s chief executive, Alexander Nix, was later captured on a hidden camera offering to use Ukrainian sex workers to bribe and blackmail politicians in Sri Lanka. He has since been suspended. Cambridge Analytica also has close ties to key figures in Republican politics: Rebekah Mercer, a major GOP donor and a co-owner of Breitbart news, sits on its board. Her father, Robert Mercer, also invested $15 million in Cambridge Analytica.

Some conservatives have alleged that the official app of the 2012 Obama campaign scanned data from people’s friends in a manner similar to the app used by Cambridge Analytica. But people who installed the Obama app knew they were surrendering information to a political campaign, though their friends did not. Meanwhile, users who installed “This Is Your Digital Life,” the app used by Cambridge Analytica, had no idea that its aims were political.

Still, the ease with which the Obama app scanned users’ friend lists without their consent raises an important point. While the Cambridge Analytica scandal leads the news, experts do not believe it was alone in harvesting large amounts of Facebook data between 2008 and 2014.

Even the developers of rudimentary Facebook apps—like my colleague Ian Bogost, who built a satirical video game on the platform called Cow Clicker—accumulated a massive amount of information about their users, whether or not they intended to. “If you played Cow Clicker, even just once, I got enough of your personal data that, for years, I could have assembled a reasonably sophisticated profile of your interests and behavior,” Bogost wrote last month.