Facebook data loss fiasco

When it arrived in my inbox it looked so phishy, but it isn’t.

facebook-email

Facebook has emailed users admitting to the most enormous blunder. Somehow, someone at Facebook managed to lose users’ settings controlling when they should be emailed.

Now, this isn’t like having information about users’ identities or credit cards stolen or leaked out onto the net, and there’s no suggestion that there is anything criminal going on here, but this is monumentally embarrassing for the social networking giant.

Because they really did _lose_ information. Permanently. Which means a software engineer on their team must have accidentally damaged or overwritten entries in their database beyond repair. Millions of Facebook users, potentially, will need to go in an reset their settings because of a simple mistake.

Of course, when any normal company has an accident like this they can just restore from a backup and get back to where they were before the accident took place.

But err.. this doesn’t seem to be happening in this case. Instead, Facebook has sent out an email to its users apologising profusely, and asking that Facebook fanatics log in to the system and reset their settings to avoid being bombarded with messages every time they’re poked, bitten by a vampire, or asked to participate in talk like a pirate day.

facebook-settings

So, what can you learn from this? Well, you should have learnt that you cannot necessarily rely on web companies like Facebook to look after your data. If it can happen to your email notification settings, it can happen to other information about you. If you have data that you don’t want to be permanently lost (like your photos for instance), make sure you’re not relying on a website like Facebook to look after them.

Of course, this isn’t the first time that Facebook has been careless with its members’ data.

What also worries me is that Facebook don’t seem to have thought through their response to this with security in mind.

The email they’ve sent out includes a link for people to log in to the site. Hackers could create a copycat email which contained a clickable link which actually took users to one of the many bogus Facebook webpages we encounter these days, designed to phish login details from the unwary.

Wouldn’t it have been better if Facebook had just told users to log in to the site (without providing the link), and then confirmed at login that the notification settings had to be looked at once again?

It would probably have been useful if they had talked about this incident on the Facebook blog too, just to reassure internet users that the messages were legitimate.