
Facebook says millions had phone numbers, search history and location stolen - nopacience
https://www.washingtonpost.com/technology/2018/10/12/facebook-says-fewer-users-were-affected-by-data-breach-more-information-was-taken
======
atonse
Here we go... the slow trickle of them saying every few days that the data
breach is MUCH worse than what they had said days ago. Boil the frog.

1 month from now, compare what they've said to what they said this week.

~~~
Bartweiss
Among other interesting things, this was initially sold as an attack that
enabled 'View As' for attackers who shouldn't have had access to it. It's been
described like another issue in the same vein as Cambridge Analytica and
Google+.

I don't doubt that setting was involved, but it's obvious by now that this
wasn't equivalent to the others - there's no "View As" which will show you
someone's search and location history. This isn't just a public/private
breakdown but an actual breach of Facebook's internal-only data, and unlike
the prior stories this ought to seriously challenge people's reliance on
features like Facebook-based app sign-ins.

~~~
iodiniemetra
> there's no "View As" which will show you someone's search and location
> history

Not in the UI, no. But once you have the token, which is what this was, then
you can request that from many of the UI API interfaces facebook provides.

When this first leaked, anyone who worked with auth systems immediately
assumed it was a game over scenario.

~~~
Bartweiss
Interesting, thanks.

I had only followed general-consumption reports here, and hadn't seen that the
attack involved obtaining a token that allowed the attacker to authenticate as
the user, and I didn't realize that the API included support for pulling
search history data. Given that, I understand much better why this was a
disaster from the beginning, and why people are so mistrustful of the rolling
"and also this..." disclosures.

------
CryoLogic
Why is it that all of the times Facebook claims a "hack" it's really Facebook
giving away or selling user data via an API, getting caught and than claiming
it as a "hack" to avoid responsibility?

~~~
Bartweiss
This story looks like the exception, though?

The app piggybacking and the initial "View As" stories constituted Facebook
handing out data sloppily. But location records, search history, and TFA-only
phone numbers are internally held data Facebook wasn't showing to anyone. This
moves things from "faulty visibility settings" and "shady data sales", which
we've seen before, to "outright security breach".

~~~
jowiar
Recent search history is accessible in the UI when you click on the search
box. Assuming someone could see "what FB looks like from your perspective",
they'd be able to access the last dozen-or-so searches.

------
cpeterso
More Facebook user data leaked or "stolen"? Must be a Monday.

------
StreamBright
Great that Facebook stores these things, otherwise it could not have been
stolen.

~~~
thaumasiotes
People put their phone number and location on Facebook for public display. It
seems hard to blame Facebook for storing them.

~~~
amag
...and what about search history? I don't use Facebook but do people also put
their search history on display there?

~~~
danso
I imagine search history data is used to facilitate and optimize repeat
searches, e.g. repeatedly looking up your secret crush or exes.

~~~
TheCapn
It does actually... there used to be a way to pull out what people facebook
"ranked" highest for you above others. That's why search isn't always
alphabetical when you use it, it sorts the list by a preference score they
generate based on how you interact with profiles

------
pwaivers
> _User messages could have been exposed in one specific use case, officials
> said. If an affected user had been the administrator of a Facebook page, and
> the page had received a message from another user, that message may have
> been compromised, Facebook said._

Isn't this a common use case? Are we administrator to our own FB account?

~~~
close04
A Facebook page is different from a Facebook profile in the way it's presented
so most likely the messages are made available through different mechanisms. I
guess they are suggesting the particular hack didn't directly give the
attackers full access to the users' profile pages (including messages) but
when it comes to Facebook pages the messages are directly exposed.

With FB and Google getting free passes (as in no penalty that hurts) after
this kind of incident I don't see them doing much else beyond the minimal
diligence.

------
throwaway292939
Imagine if "page views" of your friends profiles were leaked...

~~~
ravenstine
LOL Then we could no longer pretend that Facebook doesn't still exist because
of e-stalking unrequited loves and exes.

------
nkkollaw
Looks like the first huge GDPR fine the EU will be able to get.

------
thrower123
Hmm, Facebook has said that I was not included in this latest data breach, but
on the other hand, the amount of spam that I've received in the email address
that Facebook knows about has skyrocketed in the last few days... Correlation
doesn't necessarily imply causation, and there's a million and one ways that
spammers could get that address, but it certainly is curious.

------
onetimemanytime
search history is the most problematic, IMO, shows intent. But combine all
three and you have a problem.

I think we need a new internet rule /law:

if it's online, it will hacked /stolen soon or later.

So they should not save most of the stuff.

~~~
colejohnson66
Isn’t that what GDPR aims to do?

------
heuiop
Is this the search history that appears in the activity tab? So, if you keep
that clear, nothing could have leaked, right?

------
intopieces
Are all these the same hack? I’m losing track.

------
JVIDEL
Good thing I never gave them my phone

And that I got tracking and location blockers specifically for fb

