How Facebook leaked thousands of private messages all because of a typo

Filed Under: Facebook, Featured, Privacy

Facebook messagesKatya appears to be a teen girl living in Mexico.

Some of the things her friends have shared on Facebook include the massacre of baby cows in Farmville.

One of the private messages sent to Katya on Facebook might contain a biblical reference, or perhaps it's a reference to a number significant to the Illuminati. At any rate, it reads:

Love and miss you. I want to give you this hug :33.

How do I know any of this, particularly given that Katya's privacy settings prevent people from sending her a private message or writing on her wall unless they're her friends?

I know because Forbes' Kashmir Hill knows.

Kashmir Hill knows because a woman named Kristal McKenzie knows, and Kristal McKenzie knows because she received Katya's private Facebook messages - they numbered 14,000 before the mess got cleaned up - updates from Katya's friends, updates when Katya got poked, and friend requests.

The problem started, Hill writes, after McKenzie had given up on Facebook.

She had a baby on the way, wanted to focus on what she called "the people in [her] real life", and was tired of Facebook's near-constant privacy changes.

In spite of having closed her account, last summer, she got a message from Facebook welcoming her back.

It was in Spanish, and it was addressed to Katya.

Obviously, somebody signed up for an account and mistyped their email address, after which the personal life of Katya's private Facebook persona began to spill into McKenzie's world.

It should have been pretty straightforward to fix. There's an option in the welcome email that a recipient can click to indicate that it's not his or her email.

McKenzie did that, and, she told Hill, Facebook's website accordingly told her that she would be disassociated from Katya's account.

Only she wasn't. Or rather, she sort of was, in that she couldn't log onto the account so as to unsubscribe, since she was disassociated, but the messages didn't stop coming.

She tried creating a new Facebook account with her email address, but the upshot was just that she got notifications on both accounts.

Her email messages to Facebook's abuse and PR departments went into a black hole, as such messages from normal people - i.e., people who aren't the media - tend to do.

She got in touch with the US Federal Communications Commission (FCC) and a privacy organization for young people that works with Facebook.

The privacy group said they'd pass along the message to Facebook. Again, that got McKenzie nowhere.

Both McKenzie and Hill tried to reach Katya through one of her friends, but that didn't work. Katya actually went on to create Skype and AskFm accounts using McKenzie's email address, but McKenzie managed to get those shut down.

Only when Hill, a reporter for a widely read magazine, got in touch with Facebook did the gaping privacy hole close.

The problem was, Facebook told Hill, a quirky little bug: in "extremely rare circumstances", a spokesperson told her, the link at the bottom of emails that people use to report incorrectly addressed messages wasn't working properly.

The spokesperson said that this perfect privacy storm was triggered by a combination of mistyping an email address, not confirming it, but then successfully confirming a contact phone number.

Facebook is now fixing it "to ensure it can't happen again", the spokesperson told Hill.

Facebook reportAs Hill said, it sounds like a rare fluke, but what turns a molehill into a privacy mountain is the fact that the whole thing could have been, if not avoided completely, a lot less severe were Facebook to have responded to McKenzie's messages about the situation in the first place.

McKenzie said that the episode belies Facebook's claims to care about our privacy:

The tech companies assure us they're concerned about privacy yet there was no way for me to notify Facebook about this. She's a teenager. I didn't want to be privy to what's going on in her life.

Facebook, seriously, neither do I - answer the door when users like McKenzie ring your bell.


, ,

You might like

17 Responses to How Facebook leaked thousands of private messages all because of a typo

  1. Laurence Marks · 172 days ago

    The symbol :33 is an emoticon. Turn your head sideways to the left. It's either a woman with four breasts or a cow.

    • Lisa Vaas · 172 days ago

      Or maybe a mutant cat with four chins.

      From Urban Dictionary definition of :3: "A symbol meant to represent the cat face made by anime characters when they say something clever, or sarcastic, or are commenting on something cute."

  2. Blake · 172 days ago

    I look forward to the day a new social network comes out, to replace facebook at the top of popularity.

  3. Adrian · 172 days ago

    Sure hope the teens that massacred baby cows in Farmville got tracked and severely prosecuted. What sick world do we live in!!

  4. Edna H · 172 days ago

    One issue not mentioned here: i got one of those "welcome to Facebook" e-mails a few weeks ago, addressed to someone who had mistyped my e-mail address for theirs. Only problem? The e-mail was in Portuguese, and it took some time to figure out WHERE to click to report the problem, since I don't speak Portuguese.

  5. eiszeit · 172 days ago

    I was receiving emails about 'my' bathroom renovation and 'my' Netflix' account after someone entered my email address instead of theirs... the bathroom ones I was able to stop but the Netflix will never end because 'Netflix does not operate in your country'.

    *sigh*

  6. Jonathan Stevens · 172 days ago

    Interesting post. Thanks for sharing!

  7. At one point I was getting emails from DishTV (an Indian network), presumably a subscriber had mistyped their email. There was no way to unsubscribe, so I just sent them to the spam folder.

    I've also recevied business emails from somebody who gave their colleagues the wrong email address. I've normally just polietly replied to let them know the mistake, and they've been reasonable about it.

    Part of the problem might be using a GMail address in the form of first initial surname @ gmail.com, presumably others with the same (or vaguely similar) surname and first initial assume that *must* be their email address.

  8. dippy · 172 days ago

    Amazon.com has similar issues, esp where gmail addresses are concerned, since gmail treats zzzz.ppp@gmail the same as zzzzppp@gmail and amazon treats them as completely un-related.

  9. a commenter · 172 days ago

    Interesting how a small bug in popular software can have devastating effects. People demand so much from Facebook, but just imagine how any "fix" they can implement will affect the rest of the site. Q/A is not as simple as you think.

  10. PE · 172 days ago

    facebook created email accounts a couple of years ago. I did not want a facebook email because it is too easy for someone to do this .. I would delete it and shut that email down if we could

  11. What about this one.

    I am not 100% clear on how to reproduce it, but it goes something like this.

    A person can create an account 1234 at gmail.com and another person can create 1.2.3.4 at gmail.com

    The problem is that emails for 1234 at gmail.com end up in 1.2.3.4 at gmail.com inbox.

    I have been receiving someone else's email for years now.

  12. Gadget · 172 days ago

    I inadvertently ended up with control of a complete strangers facebook account. I messaged facebook repeatedly and got no response. Ended up working it all out myself but the owner of the other account was very lucky I am an extremely honest person! I just couldn't believe I couldn't find anyone who cared...silly me...I kinda thought it was a really big deal.

  13. andrew · 170 days ago

    i tried to get hold of facebook to report a company that was posting pictures of my son on their page. i never got a response, after numerous attempts i ended up getting everyone i knew to contact the company asking for the pictures to be removed. the negative publicity worked.

  14. Blvugirl · 168 days ago

    This happened to me today! Someone from India set up a facebook account using my personal email address. I received numberous emails all day long when new friends were added etc. I changed my email password. Then went to facebook and reset the password associated to this new account. I then went to facebook to report the fake facebook account associated with my email address and kept going in circles trying to report it. I finally had to submit a general inquiry since the link to report abuse/scam wasn't working. I hope they resolve my issue quicker than the one in this article!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.