In terms of the risk to each individual this is a minor thing. But, the scale of the leak means that it was inevitable that regulators would take Facebook to task. Expect a slow process, with a few disclosures of other failures to protect citizens’ data…:
[…] An unknown party scraped Facebook’s database for information on hundreds of millions of profiles (from 106 different countries) by entering phone numbers in this way in 2019. Facebook appears to have become aware of the vulnerability around August of that year and patched it, but did not notify its users of the data leak. The incident might have never come to light if the database had not appeared on an underground hacking forum several weeks ago, containing information that ties phone numbers to email addresses and other public Facebook profile information. Facebook issued a statement indicating that it still does not plan to notify the affected users individually.
It is unclear how many of these users were EU residents, but the region has over 400 million active users as of Q4 2020. Digital Rights Ireland (DRI) is preparing to organize them for legal action, planning a mass action suit (very similar to a class action) that the group says could pay each member up to €12,000 based on results from other comparable cases. The group estimates that about 1.5 million residents of Ireland will be eligible for the legal action. The Irish Data Protection Commission has already announced its own separate investigation into the data leak, which could put Facebook on the hook for fines of up to 4% of its annual turnover if a General Data Protection Regulation (GDPR) violation is found.