Skip to main content

Facebook’s Graph Search flaw exposes names with phone numbers

facebook security
Image used with permission by copyright holder

Email address collection using Facebook has been a problem that we’ve encountered before when hackers were selling email addresses by the millions. Recently a similar issue – this time having to do specifically with phone numbers – has popped up again by way of Texan mobile developer Brandon Copley who has amassed a database of 2.5 million phone numbers.

Despite having brought the issue to Facebook’s attention, Copley found that the social network preferred to brush the problem off as just a feature within Facebook that’s actually public information. If you do a quick Graph Search for individual phone numbers, granted that the user has set their profile to public and included their phone number, Graph Search will spit out the names of Facebook users associated with that phone number. 

Recognizing the technicality of scraping Graph Search for phone numbers (and email addresses), Facebook told TechCrunch, “Your privacy settings govern who can find you with search using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page.” There’s not much indication of Facebook’s willingness to patch up that loophole, it seems.

Since Facebook wasn’t going to be working on fixing the security flaw within Graph Search, Copley took matters into his own hands. He scraped 2.5 million phone numbers, apparently to prove a point, and presented the evidence to Facebook. He went as far as testing the limits of his developer account and by searching thousands of phone numbers on a daily basis, bumping this up to millions of searches using the “API token of an app that isn’t rate-limited,” until his account was consequently banned by Facebook numerous times.

Then noticing what was happening, Facebook’s lawyers sprung into action with a cease and desist letter claiming that Copley was “unlawfully acquiring Facebook user data” without permission. What its lawyers were reportedly sniffing around for included the method and script itself for how Copley was scraping Facebook’s database, and with whom he’s shared this knowledge with. Understandably Facebook may have reasons to be concerned about the safety of its users considering that Copley could use his “research” for malicious purposes, but bringing its lawyers into play really makes you question if the collection of personal information is really the non-issue that Facebook initially made it out to be.

Editors' Recommendations

Francis Bea
Former Digital Trends Contributor
Francis got his first taste of the tech industry in a failed attempt at a startup during his time as a student at the…
A Facebook, Instagram bug exposed millions of passwords to its employees
Crisis Response Hub

Facebook software meant to disguise user passwords from employee access failed, leaving millions of passwords visible to the network's employees,  the company said on Thursday, March 21. The network said the bug was discovered in a routine review in January and has since been corrected. The bug exposed passwords for users on Facebook, Facebook Lite, and Instagram.

Facebook hasn’t found any evidence that the passwords were compromised externally -- the bug only exposed plain text passwords for the company’s employees, according to Facebook. The company also said they haven’t found evidence of internal employees abusing the information. Facebook didn’t say why it delayed telling users after finding the bug in January.

Read more
Did you give Facebook your phone number? You can’t delete it or make it private
voice assistants arent ready facebook targeted ads iphone x

Setting up two-factor authentication is usually a recommended move to keep important accounts secure -- but on Facebook, adding a phone number could impact privacy. After a tweet from a user complaining that Facebook required a phone number for two-factor authentication, Facebook’s iffy data practices are once again in the spotlight, this time with what actually happens to your phone number when adding two-factor authentication.

The practice coming into question isn’t new -- just highlighted by a new round of complaints. Facebook has offered two-factor authentication since 2011. The company says that phone numbers added to an account, including areas outside of two-factor authentication, are then linked to the account. Facebook uses those phone numbers for more than just security, using them for ad targeting if a business also has that same phone number and allowing other users to find their profile by typing the phone number into the search bar.

Read more
X seems to have deleted years of old Twitter images
The new X sign replacing the Twitter logo on the company's headquarters in San Francisco.

The social media platform formerly known as Twitter and recently rebranded as X appears to be having trouble showing images posted on the site between 2011 and 2014.

The issue came to widespread attention on Saturday when X user Tom Coates noted how the famous selfie posted by Ellen DeGeneres at the Oscars in 2014, which quickly broke the “most retweets” record, was no longer displaying. Later reports suggested the image had been restored, though, at the time of writing, we’re not seeing it.

Read more