Hacker News new | past | comments | ask | show | jobs | submit login
The Facts on News Reports About Facebook Data (fb.com)
70 points by eric59 4 days ago | hide | past | favorite | 58 comments

This is like your bank saying it's not their fault your money was stolen because someone took it away without permission. The point is that Facebook has a responsibility to keep the data you provide them secure. But the purpose of this press release is to make this responsibility seem either trivial or nonexistent.

You can show them that this responsibility is paramount. Stop giving them your data.

In the OP press release they say:

> It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.

But if you click on the "related post" at the bottom of the page, "Taking Legal Action Against Data Scraping" (Oct 2020) [0], you'll see this sentence:

> Scraping is a form of data collection that relies on unauthorized automation for the purpose of extracting data from a website or app.

It would be interesting to hear Facebook PR team describe the difference between "Hacking" and "Unauthorized Automation", and why apparently the latter is nothing to worry about now, but was sufficient to generate lawsuits in October.

[0] https://about.fb.com/news/2020/10/taking-legal-action-agains...

Facebook is using doublespeak here.

> It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.

.. a couple paragraphs later ::

> We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019.

Gee, that sounds a lot like someone abused your contact importer tool to do something you didn't intend for it to do. Which is also the definition of other "hacks", like SQL injection

It reminds me of their Cambridge Analytica defense. Create an Open API, make all the data available to anyone who signs up for an API key, document and market the methods for extracting the data, define its boundaries and limitations, build a platform around it, and then claim you're the victim when one of your users does something bad with the data you gave them.

> Gee, that sounds a lot like someone abused your contact importer tool to do something you didn't intend for it to do.

From the article it appears that the contact importer is an API endpoint which returns a set of Facebook profiles given a set of phone numbers. In that sense, it did exactly what the developer intended.

If I write a script to query google.com and get a response back you could say I'm not using google search as intended, but most software engineers would laugh at me if I claimed to have "hacked" Google in this way.

See this from Sep, 2019: https://www.forbes.com/sites/zakdoffman/2019/09/12/new-insta...

"Facebook confirmed to me that the vulnerability was genuine, that the exploit would enable a “bad actor” to connect phone numbers and user details, and that it has prompted changes to be made. They pointed out to me that the exploit process is “complex,” but nonetheless did leave the platform open to abuse and put users at risk."

At a certain level the question is academic, and lawyering over definitions only distracts from the bigger picture. I trusted Facebook with my mobile number. They permitted bad actors to mis-use their service, and now bad actors have that number. Facebook should be held accountable. Whether it was through SQL injection or a poorly-thought-out API is academic.

SQL injection = Bug-in-computer-code poor API = Bug-in-thought-process

Bug owned by FB either way.

It's almost what they intended. It was an internal API that they never thought would be exploited. (I.e. used by third parties.) Calling it scraping is a pretty fat lie.

I've just checked. My phone number is in the data set. I've never set my phone number public so no one should have been able to 'scrape' it.

On a side note, I remember learning about this feature, or maybe an earlier incarnation, a few years ago when a friend showed the the profile of a girl he just met at a bar. The girl had a pretty common name so I asked my friend how he looked her up, did they have friends in common. I was really just curious how FB would now which person to show. He said "no, she gave me her number and you can look them up like so and so". (I can't remember whether you could search for the number or had to create a contact, but it's besides the point.)

I was pretty baffled because it was obvious that you could just create a very powerful white pages type of db pretty easily. Which someone apparently did for half a billion people.

This also explains how someone managed to call me from a UK number a few weeks ago trying to sell me some news paper subscription. They said they were from the "Herald digest". And they did know my name (so it wasn't just dialling random numbers.)

> In that sense, it did exactly what the developer intended.

Not sure they envisioned someone enumerating phone numbers and pulling all data. But that would be hilarious if they claim that's what they intended and that was a feature.

There's a difference between an unintended use case and unintended behavior

I thought the same thing. Is there another explanation for what this might mean?

Scraping to me is what google does, exploring links, saving and parsing data.

The contact importer presumably sourced data from iOS, google, outlook or similar address books.

You shouldn’t normally get data out that way, was it returning unexpected results from partial matches?

Maybe you could view a profile page by uploading an address book with partial, stubbed data. This page that then normally wouldn’t have been accessible to the user then was and those and any connected profiles were then crawled and scraped?

It seems to me you used to be able to view an otherwise private profile if the person had extended a friend request.

right, they make it sound like it was publicly available data, but it was data unintentionally made public.

Sort of like saying "people scraped publicly available information from our website" when someone grabs passwords from a public-facing MongoDB database without a password.

The data was from people’s public profiles, it’s not unintentionally public. the issue was making it scrapable.

No, the phone numbers and emails weren't publicly posted (globe icon), they were just meant to discover contacts.

You can choose to make your email on your profile public. Take a look at the number of emails exposed vs. the number of phone numbers exposed, there's a reason why it's a small portion, most people don't make that public.

This was just an attacker abusing "Who can look you up using the phone number you provided?" for users where this was set to the default of "Everyone" and then scraping the public details for the profile that popped up.

This is incorrect. Private phone numbers not publicly shown on your profile via the UI are included.

Mark Zuckerberg's own phone number was included, and you can bet he would never intentionally release that nor is he likely to misconfigure his privacy settings and leak it due to user error

Facebook also claimed that the only leaked data was "old data", phone numbers from 2019...

2 years is nothing in the age of mobile numbers that people port and keep for practically decades.

Yeah, seems like the definition of hacking what happened there. I mean Facebook could have at least rate limit or block this, but they had no mitigation. They even admit of having fixed it afterwards.

Facebook has some of the worst and most disgusting ethics in tech. I feel repulsed that they are in the same industry I work in.

Don't really want to defend Facebook, but the amount of cynicism and bad faith here is too much. This article should be welcome, it gives us more information on what happened. It clarifies that this was not some sort of database leak (which is much more damaging), but a API abuse that allowed bad actors to figure out people's phone numbers. Overall article brings transparency to the situation, which is good.

Good for what purpose exactly? They’re not really taking accountability so where is the good that you’re talking about?

I would have preferred if this were a database leak. At least that would have shown some effort towards protecting user data. The fact that it was acquired through a public-facing API makes it much worse, in my opinion, as it shows Facebook isn’t that concerned about protecting sensitive data.

I'm curious if the repeated negative press Facebook has received has impacted their hiring. Boots on ground perspectives appreciated, but I can share a data point of one: I'm a very average developer, and I get at least quarterly reach outs from Facebook-- a higher frequency than I've ever heard from any FANG (or any company in general). I used to get ads on the platform for FB Engineering jobs. After I deleted the app, I started getting ads in my LinkedIn feed for FB engineering. They might have a hefty recruiting budget, or there could be challenges. On the other hand, all the negative press might attract some candidates that disagree with the media.

As long as they pay top of market (and they do), people will work for them. FB consistently beat Google and other top employers by non-inconsequential figures.

There's also the case of Google being ethically bankrupt as well (undisclosed DoubleClick tracking backdoor in Chrome).

I don't see the argument that FB is worse than Google. Google will snoop on your private messages for information that they can use to feed their advertising machine, and they have an entire browser dedicated to ad networks (they regularly implement insecure APIs that are immediately abused by DoubleClick customers, including on high profile sites).

n=1, but a friend had offers from Google and Facebook, and went to Google largely because it wasn't Facebook. In my highly educated circles, McKinsey is held in higher esteem than Facebook. Thinking about that now, a few years of selecting for people who "disagree with the media" and are content with burning down society for a quick buck would really explain a lot.

If you work at Facebook and you feel compelled to tell me why your personal Faustian bargain was actually not such a bad thing, read Mistakes Were Made (But Not by Me).


Given that exact same choice, if I was looking for a job, I would unashamedly and gladly take Facebook over Google.

Great book

I know a guy who joined FB as a software dev manager a few years ago and left in less than a year. (Maybe after just six months.) He is definitely pretty critical and sometimes hints at how the internal culture is problematic and causing some of the issues visible from the outside. (He doesn't tell too much, though, for obvious reasons.)

I would bet a not-insubstantial amount of money that Facebook remains able to hire people more than qualified to execute the work of Facebook.

They contact me constantly as well. I have zero interest in working for them.

I have also noticed that more than half of my recruiter emails seem to come from Facebook, i.e. that they amount for more than every other company put together.

"Scraping data using features meant to help people violates our terms. We have teams across the company working to detect and stop these behaviors."

Hmm, that's interesting. I read about a court case recently that seemed to say scraping was okay and also that companies shouldn't work to prohibit scraping.


Like when they used to show your name & profile picture after a failed login with just an email and empty password. Aside from being another inadvertant information leak, it would have been tragic if that was part of an attempt to decrease the (deliberate) login failure rates.

I had this only a few weeks ago. Is that 'feature' removed now?

Oh, wow. I can confirm that said "feature" is still live. People's names and profile pictures show up after entering their email address in the login form shrug

I believe that was changed to only happen on a browser you've used that account with before. I haven't checked, so I could be wrong. Still not great if you login to your account on a public system.

The attitude that this company (and many others) has towards the data they collect from billions of people is stunning. They claim that there was nothing they could do, even when one of their tools was misused to gather phone numbers. They don't take accountability for the fact that this likely already has and will continue to enable spammers and scammers to much more easily target their users. They refuse to send out notifications to affected users (which they should have done 2 years ago). We need legislation punishing companies for being negligent with the sensitive user data they collect or this shit is never going to end.

Data they collect by abusing android and other permission systems, reading contacts in adjacent apps like WhatsApp, etc. Its gluttony that they are now pretending is a moral high ground.

I can only speculate but what I think we are seeing here is a statement made in earnest by a corporate communication team, crafted with significant input from a product team. To admit that this was an intrusion would be severely career limiting. So they explain it in a hand-wavy fashion, enough to get the Comms people off their back. The end result is this unsatisfying explanation.

Just speculation. There has to be a method to the madness that is Facebook press releases.

Same for the 'Sorry' word that is missing as I commented as well.

Any admission by Facebook can and will act against them in the [highly likely] class action that will be executed.

I'm sure their legal department checked every letter in this statement with a x100 magnifier.

> The information did not include financial information, health information or passwords.

As someone who has an account (begrudgingly for Messenger since you can't solely use a phone number anymore) but doesn't use it, can I just say:

Wait, what?! Since when does Facebook have health information!

I don't know conceptually what portion of Facebook they're referring to but that's news to me.

One source of health information Facebook might have is the Oculus Move app (which tracks exercise in VR)

> "We’re focused on protecting people’s data by working to get this data set taken down".

I am sorry but that ship has sailed. I have already received several spam messages at the unique email address I used only for Facebook login, so the data has been spread very wide at this point.

Somehow I couldn't find one word I was looking for in this whole carefully-worded PR statement:


My phone number was removed and my account deleted when they say this hack happened. My phone number is in the leak. Doesn that mean that my phone number was in it because other people's contacts were imported, or because they didn't actually delete my info?

The contact importer should not be turning up deleted Facebook accounts, so it seems like Facebook was keeping data on you even after you deleted your account.

If you are an EU resident, this can be a GDPR violation so you should follow up.

Deleting my Facebook account has been one of the most mentally liberating and satisfying decision I have made in the last year. I used a Chrome addon to totally delete every post and clear everything out too--why let them have anything even when I'm gone.

Why is the headline blaming the news reporting? That is idiotic and evil.

I remember the pop ups to please add your phone number, you know, just for security! They promise to never show this to anyone... and then this happens.

It’s like a comedy.

Facebook is amazing to me, no matter what the issue, the company responds in a weird PR speak dialect that evokes circa 1990 Phillip Morris. They have a weird voice.

If you want your jaw to drop in regards to facebook disingenuousness regarding truth telling and the media, listen to the recent Lawfare podcast here:


Go to 41:18 in and listen to the story regarding Facebook and NYU's AdObserver project.

Facebook has no credibility.

I thought US Court of Appeals established that web scraping is legal?

AFAIK the phone numbers were obtained via an account recovery exploit, not through scraping. The other fields were though.

> The information did not include financial information, health information or passwords.

Cool, should we assume everything else Facebook has was included?

And what sort of health and financial information does Facebook have?

They are profiling like crazy. I'm pretty sure they have at least an estimated income attached to almost every single of us. Also, they do have credit card numbers for those who buy ads.

But it may have just been a generic statement.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact