searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • (IN)SECURE Magazine

Related topics

  • How Facebook’s data issue is a lesson for everyone
  • Cambridge Analytica and Facebook’s privacy storm: Latest developments

Featured news

  • March 2021 Patch Tuesday forecast: Off to an early start
  • Credential exposure trends: You need a better password
  • Cybercriminals increasingly impersonate business-related apps
  • To support a growing remote workforce, the public sector turned to the cloud
  • In the digital economy, computing power defines productivity
Zeljka Zorz
Zeljka Zorz, Managing Editor, Help Net Security
April 6, 2018
Share

Malicious actors used Facebook’s own tools to scrape most users’ public info

Facebook has disabled a search tool that allowed anyone to enter a person’s phone number or email address into Facebook and find their account, along with all the information that user did not choose to hide from others. The company has also announced changes to its account recovery tool.

The reason behind this decision? “Malicious actors” have abused these features to scrape public profile information.

Facebook search data scraping

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” Facebook CTO Mike Schroepfer shared.

With Facebook numbering 2.2. bilion monthly active users as of January 2018, the number of users whose information has been scraped is likely vast.

Company officials acknowledged to Chicago Tribune that the abuse of Facebook’s search tools happened over the course of several years.

Apparently, the malicious actors got user email addresses and phone numbers from the dark web, fed them (through automated computer programs) into Facebook search tool and discovered the full names and other public information of people affiliated with these addresses and phone numbers.

If the users chose not to make their accounts private – as many don’t or don’t know how – the automated scrapers harvested much sensitive information that could later be misused to steal these users’ identity.

The question now is why did Facebook not find a way or did not make an effort to prevent this scraping after they first noticed these activities.

Putting out the fire

As can be expected, Facebook is trying to minimize the damage the Cambridge Analytica scandal and subsequent revelations of lax data protection and privacy measures has brought onto the company.

In the latest slew of changes aimed at signaling that the company is taking user and data security seriously, Schroepfer has announced more changes that will restrict applications from collecting information about the events they are attending, lists of and information about groups the users belong to, information about calls and texts, etc.

“Finally, starting on Monday, April 9, we’ll show people a link at the top of their News Feed so they can see what apps they use — and the information they have shared with those apps. People will also be able to remove apps that they no longer want,” he added.

“As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica. In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica.”

Whether these and other changes will be enough to appease users and US legislators remains to be seen.

Also, in 2011, Facebook had settled Federal Trade Commission charges that it deceived consumers by failing to keep privacy promises, and had taken on various obligations. Among them is the obligation to “establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information.

The FTC noted last week that, in light of the Cambridge Analytica news, it would now open a new investigation.

More about
  • account protection
  • Cambridge Analytica
  • data protection
  • Facebook
  • privacy
  • social networking
Share this
arrows

Risky business: 3 timeless approaches to reduce security risk in 2021

  • Security starts with architecture
  • Proliferation of sneakerbots across industries: The long tail of DIY bot operators
March 2021 Patch Tuesday forecast: Off to an early start

What's new

person

Credential exposure trends: You need a better password

arrows

Risky business: 3 timeless approaches to reduce security risk in 2021

patch

March 2021 Patch Tuesday forecast: Off to an early start

stock price

Cybercriminals increasingly impersonate business-related apps

Don't miss

patch

March 2021 Patch Tuesday forecast: Off to an early start

arrows

Risky business: 3 timeless approaches to reduce security risk in 2021

person

Credential exposure trends: You need a better password

stock price

Cybercriminals increasingly impersonate business-related apps

building

Security starts with architecture

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • Twitter

In case you’ve missed it

  • The economics behind global disinformation engines and strategies for mitigation
  • How do I select a cloud security solution for my business?
  • Chief Legal Officers face mounting compliance, privacy and cybersecurity obligations
  • How do I select a network monitoring solution for my business?

(IN)SECURE Magazine ISSUE 67 (November 2020)

  • Hardware security: Emerging attacks and protection mechanisms
  • Justifying your 2021 cybersecurity budget
  • Cooking up secure code: A foolproof recipe for open source
  • Mapping the motives of insider threats
Read online
© Copyright 1998-2021 by Help Net Security
Read our privacy policy | About us | Advertise