Details of 100 million Facebook users were *already* exposed on the net

Facebook and magnifying glass
Have you seen the headlines? They’re pretty scary-looking.

Here’s just a handful – although there were hundreds more to choose from:

“A fifth of Facebook users names ‘leaked’ to file-sharers”, Techwatch

“Details from 100 million Facebook profiles posted online”, Network World

“Details of 100m Facebook users collected and published”, BBC News Online

“100 million Facebook accounts exposed”, V3

At first glance these headlines might appear frightening. But there’s one thing you need to know. All of this information was already available to anyone on the internet.

What’s happened is that a security consultant called Ron Bowes wrote some scripts to harvest publicly-available information from the profiles of Facebook users who had left their profiles open for anyone to view.

In total he managed to scrape the names and urls of some 100 million Facebook users (about 20% of their population), and posted the database of snaffled information up on a peer-to-peer file-sharing network for anyone to download.

The Facebook user data can be downloaded from a peer-to-peer file-sharing network

This wasn’t really a “hack” as such, as the guy who collected this information didn’t have to break into accounts to access the information. The personal information from users’ Facebook profiles was already available to anyone because individuals’ privacy settings had not been properly secured, and they had effectively left their lights on and curtains open for anyone to peek in and make a note of anything they could see.

The real problem here is that users haven’t secured their profiles well enough – but I don’t think they’re the only ones at fault. Facebook has gradually eroded its users’ privacy over the years, in an attempt to share more information with the rest of the internet. In fact, it’s even recommended that users use settings that share more information – and some users may not have been aware that going with Facebook’s recommendations would leave them open to being snooped on in this fashion.

The problem is that once you’ve shared your information with “everyone” on the net in this fashion, there’s no going back. You can’t withdraw your data – and now the user details have been harvested they will forever be available for anyone to access.

Facebook privacy setting

Facebook users need to wake up to the risks of sharing too much information online, and examine their Facebook security settings closely to ensure that they are not divulging too much to people they don’t know, and are comfortable with their choices. Today the news story is about names and urls being scooped up – maybe tomorrow it could be more personal information that is gathered from poorly secured Facebook users.

We’ve published a step-by-step guide where Facebook users can check their privacy settings and ensure their information is better secured.

Please take care when you’re online, and consider joining the Sophos page on Facebook to be kept informed of the latest security threats.