

Facebook security bug exposed 6 million users' personal information - 6thSigma
https://www.facebook.com/notes/facebook-security/important-message-from-facebooks-white-hat-program/10151437074840766

======
discostrings
So it sounds like when people give Facebook access to copy their contact lists
/ address books from an email account or phone, Facebook tries to match those
email addresses and phone numbers to other Facebook accounts. Sometimes, those
email addresses and phone numbers aren't already part of the Facebook account
they're matched with, but Facebook is pretty confident of the match. So
Facebook stores those addresses and numbers as part of the matched account's
"shadow profile".

The problem they're reporting here seems to be that when one used the tool to
download one's account, the addresses and phone numbers from friends' "shadow
profiles" were included.

It makes you wonder what other invisible data is attached to a Facebook
profile...

~~~
twakefield
I work at Mailgun and this may explain why when our customers use Facebook as
a customer acquisition tool they inevitably end up with a large amount of bad
email addresses, leading to a poor email sending reputation or worse.

While I'm not familiar with the information Facebook shares through Facebook
Connect, this seems to be a big short coming. You may not be getting the
customer's real, current email addresses.

We have to tell people that Facebook is not a reliable way to obtain valid
email addresses. The only way to properly do this is to have customers submit
their email addresses directly to your own signup form and then validate them
with a confirmation link sent to that address (double opt-in).

~~~
mikhaill
The issue is that when you use Facebook connect and get the user's email it
returns the email originally used to sign up for facebook. Since people signed
up years ago, many no longer have that as an active address, which leads to
the poor email quality.

~~~
makomk
Wow - I expect most Facebook users have invalid e-mail addresses if that's the
case. Originally, you could only sign up with a college or university e-mail
address, and pretty much all of those addresses are now dead because people
graduated or left.

------
bredren
This blog post does not identify exactly where the leaked data is.

I have an DYI export of my account from 3/26/13 and am trying to determine
where the data is. Can anyone help?

DYI's have the following directory structure:

last name

\- html

\- videos

\- photos

\- photo

index.html

The html folder contains many files including "friends.html," where each
friend is listed as a div. I believe normal data, i.e. friends who did not
upload address book have the structure:

<div class="friendvcard"><span class="profile fn">[Friend's Full
Name]</span></div>

Whereas users who have had their data inadvertently leaked due to Friends who
uploaded address books containing their contact data (confusing but I think
that's right) have the following structure which contains leaked data:

<div class="friend vcard"><span class="profile fn">[Friend's Full
Name]</span><span class="email"> (<a href="mailto:[Friend's email
address]">[Friend's email address]</a>)</span></div>

I have three of these entries with email addresses, but am not seeing any
phone numbers. Can anyone else corroborate this structure, add how the phone
numbers were stored, and verify an example case where a known friend uploaded
their contact data matching the leak?

edited for clarity

~~~
neoscsi
It was 'addressbook.html ' from your extended data download, not the normal
data download.

------
eminh
I guess I am part of 6 million since I got a message from Facebook regarding
this.

The weird part of it is that email address they say to have been exposed is
not even part of my facebook profile.

~~~
kinofcain
Same here, I had three e-mails listed: my personal email I used for Facebook,
my @facebook.com email, and a work e-mail that I don't appear to have listed
in my profile or settings anywhere and don't recall even giving to Facebook.

Perhaps the "merged" contact information that got leaked included e-mails for
you that your acquaintance had that you perhaps never told Facebook about?

EDIT: that would seem to be supported by this line:

"This contact information was provided by other people on Facebook and was not
necessarily accurate, but was inadvertently included with the contacts of the
person using the DYI tool."

~~~
eminh
Yes, indeed, it says so in the blog post, though not in the email itself.

Basically, it means that facebook has more (much more?) information about me,
than they show to me in the profile. Not that I am surprised by that.

------
Pxtl
So, to clarify: if you downloaded your info, you would also download email
addresses and phone numbers that other people thought were yours...that
doesn't sound so bad.

~~~
discostrings
No--it seems that if you downloaded your info, you would also download email
addresses and phone numbers _of your friends_ that other people had in their
address books, _without your friends ever knowing Facebook had that
information_.

~~~
nolok
To make it clearer, I don't have a FB account but from what I get from the
article:

John add Bob in his friends.

Alice add Bob in her friends, and while crawling her contacts infos (say, on
her smartphone), facebook finds a phone number for Bob that Bob himself didn't
give.

Facebook remember the phone number on Bob's "shadow" account.

John download his infos, and for his friend Bob he can see the phone number.
Bob never gave it to Facebook, never gave it to John. Facebook never told Bob
they had it.

~~~
Routinism
This is exactly what happened. I never entered my phone number into anything
Facebook, and today I received an email that referenced an old phone number of
mine being inadvertently released. My strong suspicion is that Facebook
crawled a friend's phone contact list, and linked my phone number to my
name/Facebook profile.

LinkedIn did something equally as shady with their iOS app. I kept the email
addresses of people I met on a trip to Europe on my phone, but never
communicated with them. After installing the LinkedIn app on my phone, the
"People You May Know" section for my account on the website starts
recommending these same people that I met in Europe. I had no idea how this
happened until the Path controversy started.

I never consented to anyone stealing my information -- whether it's on my
phone or someone else's. What if my social security number or credit card
number was stored in my or someone else's contacts? No company has the right
to steal this information without consent.

I realize Apple eventually locked down access to Contacts but as far as I'm
concerned, that was too little, too late. This never should have been "public"
for any app to access, and I really don't think this was just an oversight
from the company responsible for the fastest-growing ecosystem ever seen. This
was not a misstep...they had to realize that this data could and would get
out.

Even worse are the companies that stole from phones while knowing full well
that what they were doing was wrong, and that they probably had a small window
in which to scrape as much data as possible. Scum.

------
pvdm
Move fast and break things.

------
RKoutnik
Said bug is known as the Facebook corporate sales team.

~~~
spitx
I have heard this sentiment echoed by others - several industry insiders
included - before.

If this is indeed true that the sales and marketing honchos are exclusively
running large tracts of key operations, aren't the resulting missteps going to
be deleterious to Mark's record as the chief?

This sentiment was echoed by Dalton Caldwell about Facebook's "M&A" team, last
year:

    
    
      I am not sure if this bubbled up to you, Mark, but after this all happened I
      directly communicated my feedback regarding just how unhappy I was with this
      situation to one of your executives. The executive apologized and said he would
      take my feedback under consideration.
    
      Mark, I know for a fact that my experience was not an isolated incident. Several
      other startup founders & Facebook employees have told me that what I experienced
      was part of a systematic M&A “formula”. Your team doesn’t seem to understand 
      that being “good negotiators” vs implying that you will destroy someone’s 
      business built   on your “open platform” are not the same thing. I know all 
      about intimidation-based negotiation tactics: I experienced them for years 
      while dealing with the music industry. Bad-faith negotiations are inexcusable,
      and I didn’t want to believe your   company would stoop this low. My mistake. 
    

Does Mark maintain control of all of the operations or has he got petty feudal
lords running various units and operations?

Source:

[http://daltoncaldwell.com/dear-mark-
zuckerberg](http://daltoncaldwell.com/dear-mark-zuckerberg)

Edit: Cleanup

------
olegbl
So... People who already had my email/phone in another service were able to
get it as part of downloading all their facebook data. Consequently, my
email/phone was not disclosed (by Facebook) to anybody who didn't already have
it. I don't really see an issue here.

~~~
BHSPitMonkey
I think you misunderstand; If friend A had information about you in their
address book (stuff you didn't have on Facebook) and uploaded their contacts
to Facebook, and friends B and C downloaded their Facebook data, it would
contain the fields gathered from friend A's address book.

------
gummydude
Forget PRISM, they practically gave away your personal info for free.

------
yuhong
I wonder how much Facebook will reward for this bug?

~~~
themonk
much less than govt penalties they might end up paying.

------
breakyerself
Who cares they give it away anyway.

------
orthecreedence
So, Facebook poses a privacy risk to many people who hand it their information
freely. In other news, the sun rose again today at the expected time.

