When Facebook came clean about a recent security bug that caused the exposure of 6 million users’ personal information to their contacts, they softened the blow by saying that the effect of the bug was probably minimal, since the people who likely received their friends’ data could have already had access to the contact info in the first place. Facebook users were outraged nonetheless, and it turns out they had reason to be: According to Sophos, the Facebook info leak is actually much worse than we were told and that the researchers who initially discovered the existence of shadow profiles are saying that the numbers don’t match up.
Researchers at the company Packet Storm compared their prior test data that verified the leak to the amount of information Facebook claims it accidentally left out in the open, and found out the following:
In one case, they stated 1 additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data disclosed. It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure.
Facebook claimed that information went unreported because they could not confirm it belonged to a given user. Facebook used its own discretion when notifying users of what data was disclosed, but there was apparently no discretion used by the ‘bug’ when it compiled your data. It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.
According to the same report, Facebook was also effectively collecting non-user contact information, which was also exposed by the security bug. Facebook declined to comment when Packet Storm asked the company to produce a collective accounting of all the information affected by the mishap. When asked about the company’s efforts to inform non-Facebook users affected by the breach, Facebook simply said “[non-users] were not contacted and the information was not reported … if [Facebook] attempted to contact non-users, it would lead to more information disclosure.”
Facebook’s apology post owned up to the social network’s technical errors, but if this latest development is true, then it erases any applause the company earned for its apparent transparency.
Sophos suggests that while we all wait for an official (and legitimate) Facebook fix, users can remove contacts they’ve imported into the social media account to minimize further unauthorized access and information dissemination. Don’t worry about the threat of your friend recommendations becoming less relevant as a result of this deletion – most of us are already Facebook friends with the people that matter, anyway. If you’re not, then maybe take a quick look through your recommended friends list, do what needs to be done, and then get out.