In 2014 Facebook authorized a Russian/American researcher named Aleksandr Kogan to view information about people who used his personality quiz app "thisisyourdigitallife". This data was to be used for research and should have only given him information on the 270,000 people who agreed to download and use his app. Kogan abused Facebook's terms of service by accessing the data of all the friends of the people using his app. This underhanded technique changed the number of people that he was harvesting data on from 270,000 to 87 million. He then shared this data with Cambridge Analytica, a data analytics company based in the United Kingdom. Cambridge Analytica used this data to help categorize and profile more than 50 million people so that they could be better targeted with advertisements. Upon finding out about the massive data harvesting, Facebook removed "thisisyourdigitallife" from their platform, issued a mandate to Cambridge Analytica to destroy all the data they gathered, and fixed the loophole that subjected users to having their data exposed by their Facebook friends. However, Cambridge Analytica did not comply with Facebook's mandate, and since Facebook never checked that the data had been deleted, Cambridge Analytica was able to use this data in the 2016 election to aid the Trump campaign.

Throughout the 2016 presidential election, the Trump campaign paid Cambridge Analytica to help target voters with personalized ads. Giving users personalized advertisements may seem innocent at first, however in reality this was voter manipulation on a national scale using stolen data. In general, when advertising through a site like Facebook, the options for selecting who the ads are shown to are limited to things such as "Users who liked a specific page." The ad targeting carried out by Cambridge Analytica was on a more massive scale since they were looking at so many users, and was more specific since they looked at personal details on each user to try to figure out what type of person they are. This was all kept hidden from both Facebook and its users, and it was not until much later that the details of the situation came out.

In March of 2018, it was revealed to the public that Cambridge Analytica had been misusing the user data that they harvested from Facebook between 2014 and 2015. Christopher Wylie, a whistleblower from Cambridge Analytica helped expose the specifics of the situation, such as the scale of the operation and timeline of the events. In the past, most cyber attacks like this had been largely ignored, but something about this event specifically made people outraged. People were upset that Facebook was selling large amounts of their data to third party companies simply because the user agreement says they are allowed to do so. The users who downloaded and used the personality app agreed to the terms and services, but their Facebook friends, who also had their data harvested, were affected despite never having heard of "thisisyourdigitallife". These events sparked a nationwide discussion on the importance of terms and services agreements, as well as who the personal data that users put online belongs to. 

Facebook stock fell dramatically as a result of the scandal and the court case that followed it, with about a 15% decrease in stock price. Facebook was also fined £500,000 by the British Information Commissioner's Office (ICO) for two breaches of the Data Protection Act. Along with this decrease in market value, many users also began deleting their accounts, to prevent themselves from becoming victims of similar privacy breaches in the future. Meanwhile, Cambridge Analytica's parent company, Strategic Communication Laboratories (SCL) Elections, was criminally persecuted for misusing the data they obtained from Facebook and not complying with data privacy laws. Two months after the breach was reported by the Observer, SCL Elections filed for bankruptcy.

In an attempt to secure their user's data and improve their public image, Facebook has more recently begun limiting the amount of data that is available through Facebook's Graph API, which is essentially a tool to allow programmers to get data about their ads, and the users their ads are being shown to. In addition to this, Facebook also revoked all of the accounts of Cambridge Analytica's parent company, SCL Elections, to ensure that they no longer have access to any user data. Overall, as a result of this scandal Facebook revamped their data privacy policies. Despite these changes, there are concerns that Facebook did not take the breach seriously enough. In September of 2018, Facebook announced a different data breach that affected 50 million of its users. Due to three bugs in Facebook's code, hackers were able to obtain the phone numbers of its users. Ironically, the reason Facebook had access to these numbers in the first place was to provide two-factor authentication, a measure intended to increase the security on their users' accounts. This potentially allowed the hackers to access any of the services that these users are log into with their Facebook profile, including Tinder and Instagram. 

Finally, the Facebook data breach started an important discussion about data privacy, and the increasing potential for its abuse by other companies and organizations. One example of this is the data collected on over 50 million public school students in the United States, which is also shared with researchers and third-party developers. This data is often stored on multiple. Concerns have also been raised about the kind of data political campaigns harvest, and how that information is harvested. In the United Kingdom, the ICO uncovered that the British Labour party was using data provided by Lifecycle Marketing (Mother & Baby) Limited, a company whose main goal is supposed to be providing information to pregnant women and new mothers. The ICO claims that Lifecycle Marketing collected data with no transparency as to how it will be used, and without consent. This data was then used by political parties to profile and target the country's population.