Skip to main content

Researchers say Facebook security breach affected more users than the social network admits

facebook teen security headerWhen Facebook came clean about a recent security bug that caused the exposure of 6 million users’ personal information to their contacts, they softened the blow by saying that the effect of the bug was probably minimal, since the people who likely received their friends’ data could have already had access to the contact info in the first place. Facebook users were outraged nonetheless, and it turns out they had reason to be: According to Sophos, the Facebook info leak is actually much worse than we were told and that the researchers who initially discovered the existence of shadow profiles are saying that the numbers don’t match up.

Researchers at the company Packet Storm compared their prior test data that verified the leak to the amount of information Facebook claims it accidentally left out in the open, and found out the following:

In one case, they stated 1 additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data disclosed. It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure.

Facebook claimed that information went unreported because they could not confirm it belonged to a given user. Facebook used its own discretion when notifying users of what data was disclosed, but there was apparently no discretion used by the ‘bug’ when it compiled your data. It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher.

According to the same report, Facebook was also effectively collecting non-user contact information, which was also exposed by the security bug. Facebook declined to comment when Packet Storm asked the company to produce a collective accounting of all the information affected by the mishap. When asked about the company’s efforts to inform non-Facebook users affected by the breach, Facebook simply said “[non-users] were not contacted and the information was not reported … if [Facebook] attempted to contact non-users, it would lead to more information disclosure.”

Facebook’s apology post owned up to the social network’s technical errors, but if this latest development is true, then it erases any applause the company earned for its apparent transparency.

Sophos suggests that while we all wait for an official (and legitimate) Facebook fix, users can remove contacts they’ve imported into the social media account to minimize further unauthorized access and information dissemination. Don’t worry about the threat of your friend recommendations becoming less relevant as a result of this deletion – most of us are already Facebook friends with the people that matter, anyway. If you’re not, then maybe take a quick look through your recommended friends list, do what needs to be done, and then get out. 

Editors' Recommendations

Jam Kotenko
Former Digital Trends Contributor
When she's not busy watching movies and TV shows or traveling to new places, Jam is probably on Facebook. Or Twitter. Or…
Privacy group sues FTC, says $5 billion Facebook fine is chump change
Facebook CEO Mark Zuckerberg

Earlier this week Facebook settled with the Federal Trade Commission (FTC) over privacy violations to the tune of $5 billion, the largest fine in the history of the FTC. While certainly huge, one privacy group thinks that the $5 billion fine isn’t quite enough.
The Electronic Privacy Information Center, known as EPIC, filed a lawsuit against the FTC regarding the settlement on Friday, saying that it is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission.”
The group wants the FTC to “require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web.”
It also wants the amount of the fine to be increased. While $5 billion is a large amount, it is a small penalty for the $571 billion company.
“The proposed order wipes Facebook’s slate clean without Facebook even having to admit guilt for its privacy violations,” reads the group’s complaint to the FTC.
“EPIC supports the findings in the FTC Complaint and supports, in part, the directives contained in the Consent Order. The Order makes clear that companies should not engage in unfair and deceptive trade practices, particularly in the collection and use of personal data. However, the proposed Order is insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission.”
Many other critics also felt the settlement didn't go far enough. The two Democrats on the commission voted against it -- with and one commission, Rohit Chopra, criticized it for not holding senior executives like CEO Mark Zuckerberg or COO Sheryl Sandberg personally accountable for the violations.

https://twitter.com/chopraftc/status/1154010758138736640
In addition to the $5 billion fine, the FTC is requiring Facebook to submit to new restrictions as well as a modified corporate structure that will hold the company accountable for decisions it makes about its user’s privacy.
While it certainly could have been higher, the $5 billion fine is almost 20 times higher than the largest privacy or data security penalty ever imposed worldwide, says the FTC and is one of the largest penalties ever assessed by the U.S. government for any violation.

Read more
Facebook admits to Messenger Kids security flaw but insists it’s fixed
unicef global innovations children youth summit kids using a tablet

Facebook missed a troubling design flaw in its Messenger Kids app that allowed children to communicate with users who hadn’t been approved by their parents.

The social networking giant launched the app in 2017, touting it as a way for children under 13 to “safely video chat and message with family and friends.” Parents set up Messenger Kids by authorizing it through their own Facebook account and then selecting the users with whom they’re happy for their child to connect.

Read more
Zuckerberg may have known more about Facebook’s privacy scandal than we thought
social media mark zucerberg with american flags

In the midst of an ongoing Federal Trade Commission investigation into Facebook's Cambridge Analytica privacy scandal, a new report suggests that Facebook founder and Chief Executive Officer Mark Zuckerberg may have known about the company's much-criticized cavalier approach to privacy.

According to a report from the Wall Street Journal, emails shared with the FTC suggest that Zuckerberg knew about, and was connected to, the company’s questionable treatment of user data. It's not clear exactly what the emails say, or whether they are specifically about Cambridge Analytica.

Read more