Facebook leaks are a lot leakier than Facebook is letting on

Filed Under: Data loss, Facebook, Featured, Privacy

Remember last week, when Naked Security et al. told you that Facebook leaked email addresses and phone numbers for 6 million users, but that it was really kind of a modest leak, given that it's a billion-user service?

OK, scratch the "modest" part.

The researchers who originally found out that Facebook is actually creating secret dossiers for users are now saying the numbers don't quite match up.

The number of affected users Facebook noted in a posting on its security blog is far less than what they themselves found, and Facebook is also "hoarding non-user contact information - seen when it was also shared and exposed in the leak," writes ZDNet's Violet Blue.

The bug involved the exposure of contact details when using the Download Your Information (DYI) tool to access data history records, which resulted in access to an address book with contacts users hadn't provided to Facebook.

Selecting privacy settings in FacebookWhat that means is that even if you don't share details of your own personal information with Facebook, Facebook well may have gotten it through other people in your network who've let Facebook have access to their contact lists.

Facebook accidentally combined these "shadow" profiles with users' own Facebook profiles and then blurted both data sets out to people who used the DYI tool and who had some connection to the people whose data was breached.

It's understandable why Facebook users are steamed.

Facebook has gotten information you didn't choose to share, has retained it, and has inadvertently left it open for unauthorized access since at least 2012.

Some users, in fact, complained in comments that the bug persisted even after Facebook reportedly fixed it, according to Violet Blue.

Packet storm reported on Wednesday that its researchers, who had prior test data verifying the leak, were able to compare what they knew was being leaked with what Facebook reported to its users.

Packet Storm claims that Facebook didn't come clean about all the data involved.

From its posting:

"We compared Facebook email notification data to our test case data. In one case, they stated 1 additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data disclosed. It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure...

"Facebook claimed that information went unreported because they could not confirm it belonged to a given user. Facebook used its own discretion when notifying users of what data was disclosed, but there was apparently no discretion used by the 'bug' when it compiled your data. It does not appear that they will take any extra steps at this point to explain the real magnitude of the exposure and we suspect the numbers are much higher."

Not only is the extent of exposed data likely to expand, Packet Storm says, but the number of people affected is much higher than 6 million, given that Facebook has only contacted its users.

Here's how Facebook replied when Packet Storm asked about contacting non-users about the breach:

"We asked Facebook if they enumerated the information in hopes that their reporting had a bug but we were told that they only notified users if the leaked information mapped to their name.

"We asked Facebook what this means for non-Facebook-users who had their information also disclosed. The answer was simple - they were not contacted and the information was not reported. Facebook felt that if they attempted to contact non-users, it would lead to more information disclosure."

That's a "weak, circular" argument, Packet Storm complains.

To better protect users' contact and personal information, the researchers suggest that Facebook can simply adopt this suggested flow:

1. When a person uploads someone's contact information, Facebook should automatically correlate it to what they have shared on their profile (and obviously only suggest them as a friend if their settings allow it). If their settings do not allow it, they should treat it as a user not in Facebook (see #2). If the information uploaded includes data specific to an individual who does not already have that data included in their profile, Facebook should provide a notification along the lines of:

"You are attempting to add data about John Smith that he has not shared with Facebook. How do you want to handle this situation?"

Two options are provided:

A) "Ask John Smith's permission to add this information"

B) "Discard additional information"

If they choose option A, John Smith is notified by Facebook the next time he logs in and gets to decide what he wants to do with HIS data. Seems simple enough.

2. When a person uploads someone's contact information and it does not correlate to any Facebook user, they should be able to use it for the Invitation feature with the caveat that Facebook automatically deletes all data within 1 week. The invite to the person can say "this link will expire in 1 week", which it should anyways. When an individual uses the invitation link to sign up, THEY will decide what information to share with Facebook.

That does seem simple enough, but Facebook hadn't responded to the suggestion at the time of writing.

While we wait for Facebook to (maybe) fix a situation that seems far more widespread than originally reported, we can help each other out by immediately removing our imported contacts, to keep everybody's personal data out of this swamp.

If you haven't done so already, you can easily remove uploaded contacts here.

, , ,

You might like

17 Responses to Facebook leaks are a lot leakier than Facebook is letting on

  1. Well done Lisa this blog is really nice much better than Facebook. Have a great weekend.

    • Lisa Vaas · 430 days ago

      Thanks! Glad you liked the post. Have a lovely weekend!

  2. Shubham · 431 days ago

    Hahaha

  3. Guest · 431 days ago

    'Gotten' is US English and not International English which these posts should use because of their international distribution.

  4. daniellynet · 431 days ago

    Thanks for the link at the end!
    Completely forgot I had imported my contacts years ago.

  5. Nigel · 431 days ago

    The Packet Storm blog is suggesting that Facebag actually do the right thing? They must have temporarily switched universes, or something.

    Anyhow, thanks for reporting this, Lisa.

    • Laurie Goren · 431 days ago

      One can't afford to assume that there isn't a shred of decency left.

    • Lisa Vaas · 430 days ago

      haha! O, those silly, optimistic researchers. Anytime, Nigel!

  6. Freida Gray · 431 days ago

    When I clicked the link to remove imported contacts all I got was a blank page.It also showed a blank page when I refreshed that page.

    • Carlos · 431 days ago

      Link worked for me - were you logged into facebook at the time?

      • donna · 431 days ago

        It told me I didn't have anything linked, so it was blank.

        • Renee · 429 days ago

          You may not have imported your contacts, then. "The bug involved the exposure of contact details when using the Download Your Information (DYI) tool to access data history records".

  7. S Kennedy Sr · 431 days ago

    How do I find out if my email and other information has been compromised by Facebook?

  8. bob · 431 days ago

    I could have sworn that quite a lot of countries have laws against companies silently holding personal data on people as well as doing it without their permission.

    • John · 430 days ago

      And in the UK, if someone provides information about a third party that is incorrect and Facebook holds that information, surely that contravenes the Data Protection Act? Also, in my opinion, Facebook has contravened several 'data protection principles' covered by the act in leaking personal data.

  9. how can i know if someone read my data?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.