Facebook has been involved in eight data breaches since its launch in 2004. The most famous breach was the Cambridge Analytica scandal, where the company sold the data of 87 million users.
In 2021, Facebook acknowledged a data leak that exposed the personal information of approximately half a billion users. The data included names, birthdays, locations, and phone numbers. Facebook said the leak stemmed from a security problem in 2019 that they had since fixed. They denied any wrongdoing, saying that the data was scraped from publicly available information on the site.
Facebook parent company Meta Platforms agreed to pay $725 million in settlement in a lawsuit seeking damages for allowing third parties, including Cambridge Analytica, access to user data. Facebook users who had an active account at any point between May 2007 and December 2022 can apply to receive a piece of the settlement.

Instagram has had several data breaches in recent years, including:
In August 2020, an unsecured database containing 235 million profiles from Instagram, TikTok, and YouTube was discovered.
In January 2021, a data leak exposed scraped data on 214 million social media accounts.
In September 2022, Irish regulators fined Instagram €405m for data privacy violations.
Instagram was accused of processing children’s privacy data for business accounts and on a user registration platform. Earlier, teen users’ (aged between 13 and 17) accounts were made ‘public’ by default, and they were easily targeted by ads and hacking methods.

Twitter had a data breach in November 2021 that was caused by a vulnerability in Twitter’s software. The vulnerability allowed hackers to learn if an email address or phone number was associated with an existing account. The vulnerability was first flagged to Twitter in January 2022. Twitter fixed the flaw on January 13, 2022.
The breach involved tricking a piece of software linked to Twitter called an API (application programming interface) into revealing hidden details about accounts. Hackers were able to submit an email address or phone number to Twitter’s systems to reveal the username associated with that phone number or email address.
At the end of 2022, there were reports that hackers were selling data stolen from 400 million Twitter users. Researchers now say that a widely circulated trove of email addresses linked to about 200 million users is likely a refined version of the larger trove with duplicate entries removed.

Sources: Wired, Firewall Times, CNN, Verge.