FB users put their details on their publicly accessible FB, someone ran a scraper across FB for publicly accessible info and dumped it into an insecure elasticsearch cluster and a researcher found that cluster.
How is FB at fault there? I say this as someone who has colossal issues with that company in general.
I remember the Zuckerberg family being caught out by Facebook's settings over a photo and complaining when the photo spread:
We can argue that the core UI is trivial and hence non-technical people jump on and essentially make user errors, but I'd be inclined to put the onus on people using a private platform to host their private information to ensure they've set up their account in a way that reflects the settings they want.
Don't get me wrong here either, if someone hacks a platform and extracts private information, or if the platform's infrastructure is misconfigured and exposes private information, then by all means I want the company responsible held account. Which is something that currently does not really happen. I'm just hesitant to blame FB for users misconfiguring their accounts and alien actors taking advantage of that misconfiguration.
People may not be able to opt out of these services. Many people will buy phones and devices and, when they receive them, discover that the Facebook app and similar apps are pre-installed and cannot be removed. Additionally, here in the UK many schools use Facebook to communicate important information to parents. Even without semi-official requirements, the effect of so many people and organisations running social interactions through Facebook means that people have little choice but to join themselves.
I think we need both legal requirements and social standards about how these things are handled to make things like Facebook safe by default, not safe if you and the people you know put effort and expertise into controlling your exposure.
PS. I haven't downvoted your comments, I don't know why one of them looks to have been downvoted.
The only ones capable of preventing either the scraping operation or the API abuse would be Facebook. Scraping is an arms race, but I certainly don't trust Facebook to care about protecting my data, except where it would infringe on their ability to sell it. If it's "API abuse," that's definitely on Facebook to prevent.
Solution? Facebook closed the API. And now people complain that Facebook is a silo and they hold onto your data and they don't allow 3rd party apps to access it.
Facebook discovers these kind of issues on a regular basis. The idea that they’ve clamped down on this type of thing is the joke of 2019.
However, the main question is: why would you ever give your time to such a toxic platform especially when it's explicitly working against you like in this case? Just move on and give them the finger.
Because a bunch of people you know are on the toxic platform.
not how it works for me! i have friends on fb that i haven't talked to or seen since high school. i don't use fb proper but it's good to know that it remembers everyone so i don't have to. i guess it goes the other around as well.
There is something wrong with this for me.. If you don't remember people, are they really worth kepeing around ?
It is a great way to reach someone you want to get in touch with after a really long time, but that scenario is far more rare than people claim when they speak of the 'magic of facebook'.
How in the world are you ever going to know if you never contact them again?
Did you ask this back in 2008?
As someone who was ridiculed, outcasted and made fun at uni for not using social media because I didn’t want to submit my data online, it’s finally nice to find people are actually starting to realise this; just twelve years too late.
But Twitter? Pretty much nobody uses it for day-to-day communication, so you can opt-out with no consequences.
Still, it's a shame it took them so long to implement a proper 2FA.
Worse still, they used the numbers provided for ad targeting.
No offense, but if you need to "pay" for your researcher, you're probably not that ethical and are most likely behind some intentional offensive hacking, so people can make money off your back.
If you can assume that they are reporting the exploits or breaches through the right channel, it might actually be more convenient for bounty hunters to have 1 place to funnel them all into.
If the Comparitech also make some profit off their reporting of the breaches then you can start to get an idea of where they're getting some funding from.
I am fine with this practice.. It incentivises more grey/white hat eyes on potential breaches. And in my book, thats never a bad thing.
Given how public they are about their methods and approach, I will give them the benefit of the doubt for now..
At FB the morale has collapsed. The support forums and bug bounty submissions are piling up and have been for weeks.
FB cannot and will not act. It is a problem of leadership not engineering and I have tremendous respect for nearly all of the staff there.
That being said the fact that Facebook continues to ignore that servers in Vietnam are hosting what appears to be all 71 million records of the Vietnamese ppl is shocking. If you are a Muslim in Vietnam the information is shockingly detailed.
The only question here is how were emails & phone numbers obtained and whether users were made aware that they would be available publicly.
This is a terrible trend of "well you agreed to the terms and conditions so this is YOUR fault", when certain T's and C's shouldn't exist in the first place. IIRC the CEO of twitter even thinks this is bullshit.
We need to blame citizens, consumers, and users LESS than corporations, not more.
How much effort do you put in to protect your grandma?
So yes, we need something cleaner than tons of ToS that's continually changing and we also need more educated people that know that if they put something online it's now public.
My comment is not saying anything because balanced view is like zero information. But the same is going on with politics. People tend to polarize into two camps. You can make good argument for both. By rationalizing away the other one you get a sens of self-coherence and some dopamine because yay brain we solved that issue, it's that simple.
But agreeing on small steps that seem like a good direction and understanding that some things that don't seem like a good ultimate solutions may be good local optimizations is hard. Plus it doesn't grab attention. Attention economy even in HN threads. I'm most eager to respond to views that I heavily disagree with, balanced comments get out of the way.
E.g. if I ask you if you know Bob and you say yes, I don't think you would say you violated Bob's privacy (you probably would think that if you gave me his number). So who are you friends with commonly feels like an info that is fine to share. But if I ask everybody on the planet I know all friends of Bob and he may not be fine with that. I think both technology and mindset improvements are necessary. Regulations probably too but it's hopeless how much it is lagging and understandably so given highly technical nature of most of these problems and centralized law making.
Voting with your behavior like not using fb hardly works (see Bob's problem above, but also power law and everything being connected) and we still haven't figured out how to punish bad behavior of big corporations. Losing some money is not an issue and how can you put somebody in jail if the crime was emergent and hundreds of people participated without necessarily knowing anything about it.
If you have an account your data has been in a leak.
Translation: the only way to have an account is to not have an account.
"...the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals..."
More cyber alarmism. What would these "VPN experts" say to a phone directory?
He goes on to describe how this was reported as abuse the service provider instead of notifying the owners of the DB.
Finally he concludes that users can manage their privacy settings from within Facebook. Thereby acknowledging that users can manage their data or have chosen to provide it publicly.
The cyber-alarmism trend from self appointed security experts has gone too far.
Billions of compromising documents, photos and personal details are now sitting around on the servers of a half dozen for-profit companies.
Only Equifax has given us a taste of what is in store.
Is the world prepared for the day when a trillion Gmail messages leak? Billions of personal camera-roll photos? Trillions of search history entries?
We needs to start taking these issues seriously.
Today we have security-expert-journalists calling the equivalent of a phone book a "verified threat incident".
I'd wager that gmail data is already available to the intelligence services of the five-eyes countries.
What does taking it seriously mean in this case? Not using Facebook? Acknowledging that data posted publicly is, wait for it... public?
To top it off the bread and butter of this blog is affiliate links to VPN providers. Another centralization of data for those seeking privacy. Not only is this contradictory, but it preys on the ignorance of the audience.
When companies sell this same data to employers it is called OSINT. When someone finds this data through Shodan and it is hosted in Vietnam they call it cyber-crime. Many times the OSINT groups are the same ones making the accusations.
Sure, if you're the HN crowd and assume every database is penetrable, this may not be a "threat incident" but when you're Grandma Jones who assumes that when she ticks the "private" box on her posts that it'll be private. If you care about infosec but are still ignorant of just how incompetent these companies can be then this breach is a "verified threat incident" and there's no reason to be alarmist here because someone mentioned that it happened.
Zuckerberg: Yeah so if you ever need info about anyone at Harvard
Zuckerberg: Just ask.
Zuckerberg: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Friend's Name]: What? How'd you manage that one?
Zuckerberg: People just submitted it.
Zuckerberg: I don't know why.
Zuckerberg: They "trust me"
Zuckerberg: Dumb fucks.
Yes indeed putting information online you expect some level of privacy for was your fault, because someone posted on display for everyone to see. Mark is never at fault.
This is never going to end. This is true for criminal orgs but also legit businesses that despite regulations will mostly prioritize features to their customers over less tangible/monetizable value like hardened infrastructure and updated software.
Maybe I'm wrong and this cluster was left exposed for another reason, though.