Facebook issues data breach notification - may have leaked your email and phone number

Filed Under: Data loss, Facebook, Featured, Privacy, Social networks

Facebook just published a data breach notification on its security blog.

You might not immediately notice that from the title of the article, which announces itself as an "Important Message from Facebook's White Hat Program."

But the social networking giant is, indeed, reporting a data leakage problem.

The silver lining is that the quantity of data wrongly disclosed due to Facebook's bug seems to be modest, at least by the standards of a billion-user service.

The cloud (bad pun intended) is that Facebook's systems made the fault possible in the first place.

What happened?

Facebook, understandably, isn't giving the gory details of the bug and how it could have been exploited, which makes the big picture hard to see.

What it is saying, is this:

We recently received a report to our White Hat program regarding a bug that may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.

So let me tell you what I think the story is all about.

Bear with me, please: I'm going to take a while to set the stage first.

Sharing contact lists

Imagine that Charlie Smith - one of thousands of people with that name - is on Facebook.

He's chosen to tell Facebook his email address, chazza@example.org, but not much more. He hasn't shared where he lives, the name of his employer or his phone number.

Alice joins up and decides to let Facebook at her contact lists. (Facebook squeezes you pretty hard to try to persuade you to upload as much as possible about your web of friends, for reasons that will become obvious in a moment.)

She knows a Charlie Smith; her Charles has a phone number of +1.500.555.5000, and an email address of chazza@example.org.

Facebook can now cross-match the email address and suggest that she might want to try to hook up with Charlie.

Chances are, of all the C. Smiths on Facebook, this is the one she knows.

She sends a Friend Request; it was the right Charlie, and he accepts it.

So far, so good.

Later, Bob comes along.

His contact list, which he yields up to the Facebook empire, identifies a chazza@example.org, known as Charlie Smith, currently living in Someplace, Pennsylvania, and working for the Acme Pointed Stick company.

Facebook likewise puts Bob in touch with Charlie, and thus indirectly with Alice, and the three of them end up as Facebook friends.

Alice is happy; Bob is happy; and, since he agreed to the Friend Requests, we assume Charlie is happy too.

Easy as A-B-C.

Mining your contact data

Of course, Facebook is the happiest of all, because it now knows (or can make a staggeringly likely guess at) a bunch of personal information about Charlie that he himself chose not to reveal.

Of course, as more people share more information about their contacts, and implicitly confirm the identity of those contacts through the Facebook friendships they forge, Facebook builds up an ever more detailed picture of everyone.

Welcome to the wonderful world of data mining.

You don't have to like this sort of thing, but there's not a lot you can do about it.

Even staying away from sites like Facebook, or "resigning" from them if you're already on, might not help very much.

After all, in our hypothetical example above, Charlie Smith only gave his name and email address; his address, employer and phone number were provided by other people, presumably with their informed consent.

→ Alice and Bob may not have thought through the consequences of letting Facebook at their contact lists, but it was their their choice to populate their contact databases with the sort of detail they did, and their choice to let Facebook at that data.

Data leakage

What Facebook seems to be admitting to, in Friday's breach notification message, is that it was careless with the aggregated data accumulated from contact list uploads.

The problem, says Facebook, lay in its Download Your Information (DYI) feature, which exists so you can suck down everything you've previously entrusted to the social networking giant.

Ironically, DYI itself is an important security component of Facebook, because it helps to deal with two serious concerns about cloud-style services:

  • DYI improves availability, because it allows you to make your own off-site backup of everything you've stored on Facebook.
  • DYI improves transparency, because it acts as a record of everything you've uploaded to Facebook over the years.

But there was a bug in DYI, of the data leakage/unauthorised disclosure sort.

Apparently, DYI was capable of letting you download more than you'd uploaded in the first place.

Using our example above, Bob might have ended up receiving Alice's contact data about Charlie, as well as his own, when he hit the DYI button.

In other words, Bob wouldn't just get back Charlie's address and workplace, which is what he himself uploaded, but might also have ended up with Charlie's phone number, courtesy of Alice.

That's not good at all.

It's especially bad for Charlie, who not only didn't open up his phone number to his Facebook friends, but chose not to upload it in the first place.

What to do?

Facebook chose to release its statement about this breach on Friday evening, which has already raised the eyebrows of former Naked Security denizen Graham Cluley.

Friday nights, he argues, are the traditional time for burying the sort of announcements you make of necessity rather than by choice.

You can see why Facebook might want this to be a weekend story: there's a chance that it might cause some companies to rethink their "Facebook at Work" strategies, and go back to the old days where Facebook was blocked outright.

That would put a dent in Facebook's daytime traffic, for sure.

After all, if someone shares their contact list while they're at work, they might end up sharing a whole lot more, about many more people, than they really intended.

And Facebook just admitted that, somewhere in its cloud, was a bug that prevented it from taking proper care of that data.

The outcome

Facebook turned off DYI once the bug was disclosed, fixed it, turned DYI back on again, and published its data breach notification.

Even if you take a cynical view of the timing and the title of the notification, I think you should be happy about some aspects of this cautionary tale:

  • Respect to the finder of the bug for disclosing it responsibly to Facebook so it could be fixed, even though he'd probably have got a lot more publicity if he'd told the world first.
  • Thanks to Facebook for having a bug bounty programme so that the finder gets some sort of reward for doing the right thing.
  • Well done to Facebook for taking the bug report seriously and fixing the problem.
  • Congratulations to those jurisdictions that have passed strong data breach notification laws, so that this sort of problem can't just be swept under the carpet.
  • Huzzah to those of you who take the stance of not sharing contact lists with social networking sites, on the principle that "if you don't share it, they can't lose it."

, , , ,

You might like

11 Responses to Facebook issues data breach notification - may have leaked your email and phone number

  1. Just Me · 837 days ago

    Fear of something like this is EXACTLY why I didn't use the find a friend or the import friends from email. Not only that, I have email contacts that are business related and don't need them having access to my FB account.

  2. Frank · 837 days ago

    there seems to be something fishy going on with facebooks friend system anyway. after using their latest symbian application yesterday afternoon (not by intent uploading any e-mail adress lists) I so far have confirmations of friendships with people I haven't heard of ever. sending an error report to facebook just produces the standard response about them unable to deal with every single problem. as I'm only supplying minimal data to facebook it shouldn't really be dramatic but I wonder what's next.

  3. JC Torpey · 837 days ago

    Have to second what "Just Me' said above. I never share my contact lists, and especially never share them with such sites as Facebook - as a writer who ghostwrites for some powerful clients, most of whom for which I've signed an NDA, I can't take the chance.

  4. Martin S · 837 days ago

    But for Just Me and JC Torpey, the point is that facebook is getting information from "your friends" about you. So you don't have to upload much for Facebook to get a lot of information.

    • Paul Ducklin · 837 days ago

      Sure...but thanks to users like @Just Me and @JC Torpey, who aren't sharing their contact lists, at least Facebook isn't getting data about other people from them.

  5. But the problem is that your FB friends and others provide personal information about YOU. Nobody needs you to provide this information. There the fun starts.

  6. Guest · 837 days ago

    @ JC Torpey

    "I've signed an NDA" and it's not like mentioning the agreement is recognizable as a form of obvious disclosure or anything.

  7. Fiona · 836 days ago

    If our friends ALSO did not share their contact lists, then facebook wouldn't be getting any data about us either from them.
    Too late for me and my friends though >.>

  8. Janice Allen · 835 days ago

    I don't know why anybody would be surprised by this article. Facebook knows everything about us.

  9. digitallipix · 835 days ago

    Hey thanks for this! I had literally only posted an hours or so before someone directed me here, asking if anyone knew what VK.com was and how it had got my fone number as I received 2 sms enclosing an "activation code" for me to activate my "VK page" ... apparently it's a russian social networking site! I rarely register more details than I'm forced to online and have a fairly new number which few people have. However of the people who have my number, some of them definitely upload their contacts to facebook. SO while I'm not happy to read the content or your article, I am definitely ;ess stressed now I have

  10. zingado · 816 days ago

    Facebook has been preventing its users from deactivating their accounts and still using their data. now it is evident that FB is a pure intelligence site. the annoying part is that you cannot get rid of it now. you just cant delete your account. what the f-ck

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog