Malicious actors used Facebook’s own tools to scrape most users’ public info

Facebook has disabled a search tool that allowed anyone to enter a person’s phone number or email address into Facebook and find their account, along with all the information that user did not choose to hide from others. The company has also announced changes to its account recovery tool.

The reason behind this decision? “Malicious actors” have abused these features to scrape public profile information.

Facebook search data scraping

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” Facebook CTO Mike Schroepfer shared.

With Facebook numbering 2.2. bilion monthly active users as of January 2018, the number of users whose information has been scraped is likely vast.

Company officials acknowledged to Chicago Tribune that the abuse of Facebook’s search tools happened over the course of several years.

Apparently, the malicious actors got user email addresses and phone numbers from the dark web, fed them (through automated computer programs) into Facebook search tool and discovered the full names and other public information of people affiliated with these addresses and phone numbers.

If the users chose not to make their accounts private – as many don’t or don’t know how – the automated scrapers harvested much sensitive information that could later be misused to steal these users’ identity.

The question now is why did Facebook not find a way or did not make an effort to prevent this scraping after they first noticed these activities.

Putting out the fire

As can be expected, Facebook is trying to minimize the damage the Cambridge Analytica scandal and subsequent revelations of lax data protection and privacy measures has brought onto the company.

In the latest slew of changes aimed at signaling that the company is taking user and data security seriously, Schroepfer has announced more changes that will restrict applications from collecting information about the events they are attending, lists of and information about groups the users belong to, information about calls and texts, etc.

“Finally, starting on Monday, April 9, we’ll show people a link at the top of their News Feed so they can see what apps they use — and the information they have shared with those apps. People will also be able to remove apps that they no longer want,” he added.

“As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica. In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica.”

Whether these and other changes will be enough to appease users and US legislators remains to be seen.

Also, in 2011, Facebook had settled Federal Trade Commission charges that it deceived consumers by failing to keep privacy promises, and had taken on various obligations. Among them is the obligation to “establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information.

The FTC noted last week that, in light of the Cambridge Analytica news, it would now open a new investigation.

Don't miss