Facebook issues data breach notification – may have leaked your email and phone number

Facebook just published a data breach notification on its security blog.

You might not immediately notice that from the title of the article, which announces itself as an “Important Message from Facebook’s White Hat Program.”

But the social networking giant is, indeed, reporting a data leakage problem.

The silver lining is that the quantity of data wrongly disclosed due to Facebook’s bug seems to be modest, at least by the standards of a billion-user service.

The cloud (bad pun intended) is that Facebook’s systems made the fault possible in the first place.

What happened?

Facebook, understandably, isn’t giving the gory details of the bug and how it could have been exploited, which makes the big picture hard to see.

What it is saying, is this:

We recently received a report to our White Hat program regarding a bug that may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.

So let me tell you what I think the story is all about.

Bear with me, please: I’m going to take a while to set the stage first.

Sharing contact lists

Imagine that Charlie Smith – one of thousands of people with that name – is on Facebook.

He’s chosen to tell Facebook his email address, chazza@example.org, but not much more. He hasn’t shared where he lives, the name of his employer or his phone number.

Alice joins up and decides to let Facebook at her contact lists. (Facebook squeezes you pretty hard to try to persuade you to upload as much as possible about your web of friends, for reasons that will become obvious in a moment.)

She knows a Charlie Smith; her Charles has a phone number of +1.500.555.5000, and an email address of chazza@example.org.

Facebook can now cross-match the email address and suggest that she might want to try to hook up with Charlie.

Chances are, of all the C. Smiths on Facebook, this is the one she knows.

She sends a Friend Request; it was the right Charlie, and he accepts it.

So far, so good.

Later, Bob comes along.

His contact list, which he yields up to the Facebook empire, identifies a chazza@example.org, known as Charlie Smith, currently living in Someplace, Pennsylvania, and working for the Acme Pointed Stick company.

Facebook likewise puts Bob in touch with Charlie, and thus indirectly with Alice, and the three of them end up as Facebook friends.

Alice is happy; Bob is happy; and, since he agreed to the Friend Requests, we assume Charlie is happy too.

Easy as A-B-C.

Mining your contact data

Of course, Facebook is the happiest of all, because it now knows (or can make a staggeringly likely guess at) a bunch of personal information about Charlie that he himself chose not to reveal.

Of course, as more people share more information about their contacts, and implicitly confirm the identity of those contacts through the Facebook friendships they forge, Facebook builds up an ever more detailed picture of everyone.

Welcome to the wonderful world of data mining.

You don’t have to like this sort of thing, but there’s not a lot you can do about it.

Even staying away from sites like Facebook, or “resigning” from them if you’re already on, might not help very much.

After all, in our hypothetical example above, Charlie Smith only gave his name and email address; his address, employer and phone number were provided by other people, presumably with their informed consent.

→ Alice and Bob may not have thought through the consequences of letting Facebook at their contact lists, but it was their their choice to populate their contact databases with the sort of detail they did, and their choice to let Facebook at that data.

Data leakage

What Facebook seems to be admitting to, in Friday’s breach notification message, is that it was careless with the aggregated data accumulated from contact list uploads.

The problem, says Facebook, lay in its Download Your Information (DYI) feature, which exists so you can suck down everything you’ve previously entrusted to the social networking giant.

Ironically, DYI itself is an important security component of Facebook, because it helps to deal with two serious concerns about cloud-style services:

  • DYI improves availability, because it allows you to make your own off-site backup of everything you’ve stored on Facebook.
  • DYI improves transparency, because it acts as a record of everything you’ve uploaded to Facebook over the years.

But there was a bug in DYI, of the data leakage/unauthorised disclosure sort.

Apparently, DYI was capable of letting you download more than you’d uploaded in the first place.

Using our example above, Bob might have ended up receiving Alice’s contact data about Charlie, as well as his own, when he hit the DYI button.

In other words, Bob wouldn’t just get back Charlie’s address and workplace, which is what he himself uploaded, but might also have ended up with Charlie’s phone number, courtesy of Alice.

That’s not good at all.

It’s especially bad for Charlie, who not only didn’t open up his phone number to his Facebook friends, but chose not to upload it in the first place.

What to do?

Facebook chose to release its statement about this breach on Friday evening, which has already raised the eyebrows of former Naked Security denizen Graham Cluley.

Friday nights, he argues, are the traditional time for burying the sort of announcements you make of necessity rather than by choice.

You can see why Facebook might want this to be a weekend story: there’s a chance that it might cause some companies to rethink their “Facebook at Work” strategies, and go back to the old days where Facebook was blocked outright.

That would put a dent in Facebook’s daytime traffic, for sure.

After all, if someone shares their contact list while they’re at work, they might end up sharing a whole lot more, about many more people, than they really intended.

And Facebook just admitted that, somewhere in its cloud, was a bug that prevented it from taking proper care of that data.

The outcome

Facebook turned off DYI once the bug was disclosed, fixed it, turned DYI back on again, and published its data breach notification.

Even if you take a cynical view of the timing and the title of the notification, I think you should be happy about some aspects of this cautionary tale:

  • Respect to the finder of the bug for disclosing it responsibly to Facebook so it could be fixed, even though he’d probably have got a lot more publicity if he’d told the world first.
  • Thanks to Facebook for having a bug bounty programme so that the finder gets some sort of reward for doing the right thing.
  • Well done to Facebook for taking the bug report seriously and fixing the problem.
  • Congratulations to those jurisdictions that have passed strong data breach notification laws, so that this sort of problem can’t just be swept under the carpet.
  • Huzzah to those of you who take the stance of not sharing contact lists with social networking sites, on the principle that “if you don’t share it, they can’t lose it.”