Facebook has said it will not provide identity fraud protection for the victims of its latest data breach.
On Friday it revealed 14 million users had highly personal information stolen by hackers.
It included search history, location data and information about relationships, religion and more.
However, unlike other major hacks involving big companies, Facebook said it had no plans to provide protection services for concerned users.
One analyst told the BBC the decision was “unconscionable”.
“This kind of information could help thieves create social engineering-based theft programmes, preying on the Facebook hack victims,” said Patrick Moorhead, from Moor Insights and Strategy.
Users can visit theft charges defense attorneys link to find out if they have been directly affected.
For the most severely impacted users – a group of around 14 million, Facebook said – the stolen data included “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches”.
Typically, companies affected by large data breaches – such as Target, in 2013 – provide access to credit protection agencies and other methods to lower the risk of identity theft. Other hacked companies, such as on the Playstation Network, and credit monitoring agency Equifax, offered similar solutions.
A Facebook spokeswoman told the BBC it would not be taking this step “at this time”. Users would instead be directed to the website’s help section.
“The resources we are pointing people toward are based on the actual types of data accessed – including the steps they can take to help protect themselves from suspicious emails, text messages, or calls,” the spokeswoman said.
She would not say if the help pages in question had been updated since the company discovered the recent breach.
Breaking into accounts
News of the hack emerged on 5 October when Facebook said it feared 50m users had been affected. On Friday, the company revised downwards its estimate to “about 30m”.
“We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate,” Facebook’s head of product management, Guy Rosen, wrote in a blog post.
The stolen data could be highly valuable for hackers, said Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology.
“What I’m worried about is about being able to break into other accounts,” he said.
“If you look at the list of data, it’s not financial data. But there is stuff in there that’s useful for ‘knowledge-based authentication’, which is definitely important for setting up accounts.”
He said Facebook should perhaps offer free premium access to password managers and other similar software.
In Europe, the hack means Facebook faces a potential fine of up to $1.63bn (£1.25bn), approximately 4% of its annual global revenue. The breach is being seen as the first major test of the new General Data Protection Regulation (GDPR) which came into force in May.
“Today’s update from Facebook is significant now that it is confirmed that the data of millions of users was taken by the perpetrators of the attack,” the Irish Data Protection Commission wrote on Twitter.
“[The] investigation into the breach and Facebook’s compliance with its obligations under GDPR continues.”