Hacker Newsnew | comments | ask | jobs | submitlogin
Facebook security bug exposed 6 million users' personal information (facebook.com)
130 points by 6thSigma 300 days ago | comments

discostrings 300 days ago | link

So it sounds like when people give Facebook access to copy their contact lists / address books from an email account or phone, Facebook tries to match those email addresses and phone numbers to other Facebook accounts. Sometimes, those email addresses and phone numbers aren't already part of the Facebook account they're matched with, but Facebook is pretty confident of the match. So Facebook stores those addresses and numbers as part of the matched account's "shadow profile".

The problem they're reporting here seems to be that when one used the tool to download one's account, the addresses and phone numbers from friends' "shadow profiles" were included.

It makes you wonder what other invisible data is attached to a Facebook profile...


twakefield 300 days ago | link

I work at Mailgun and this may explain why when our customers use Facebook as a customer acquisition tool they inevitably end up with a large amount of bad email addresses, leading to a poor email sending reputation or worse.

While I'm not familiar with the information Facebook shares through Facebook Connect, this seems to be a big short coming. You may not be getting the customer's real, current email addresses.

We have to tell people that Facebook is not a reliable way to obtain valid email addresses. The only way to properly do this is to have customers submit their email addresses directly to your own signup form and then validate them with a confirmation link sent to that address (double opt-in).


mikhaill 300 days ago | link

The issue is that when you use Facebook connect and get the user's email it returns the email originally used to sign up for facebook. Since people signed up years ago, many no longer have that as an active address, which leads to the poor email quality.


makomk 300 days ago | link

Wow - I expect most Facebook users have invalid e-mail addresses if that's the case. Originally, you could only sign up with a college or university e-mail address, and pretty much all of those addresses are now dead because people graduated or left.


cbhl 300 days ago | link

What about sending email to <facebook-username>@facebook.com? Then it just ends up in their "Other" box in Facebook messages, but at least (I suspect) it won't bounce.


twakefield 300 days ago | link

That is an alternative. Although, we have found they throttle incoming SMTP traffic pretty aggressively. I don't fault them for this - I'm sure they are bombarded by spammers.

Here's an interesting post I came across on the subject: http://www.whatcounts.com/2012/06/what-is-the-deliverability...


runn1ng 300 days ago | link

They also keep sort of "reverse lookup" information on everyone - basically, what other people have you in their address books.

They keep this information on you even if you are not a Facebook user.


nebula 300 days ago | link

The blog says the fix was made in the DYI tool. That means they would continue to maintain "shadow profiles", but would stop letting others know that FB has a shadow profile on you. Al these blog posts and notification emails are just a PR propaganda to make gullible users believe that FB cares about their privacy.


1337biz 298 days ago | link

Just discovered that this post is linked by the CNet article ( http://www.zdnet.com/anger-mounts-after-facebooks-shadow-pro... ). Thought maybe nebula would be interested to know :)


expl0its 298 days ago | link



neoscsi 298 days ago | link

You're mostly right except for one thing:

The extended data download did not include shadow profile data from just your friends. It included shadow profile data from anyone that matched any of your contacts. If zuck@facebook.com was one of your contacts, you would have retrieved all of his data.

This could have been used as a very targeted malicious data mining tool. It probably was.


bredren 300 days ago | link

This blog post does not identify exactly where the leaked data is.

I have an DYI export of my account from 3/26/13 and am trying to determine where the data is. Can anyone help?

DYI's have the following directory structure:

last name

- html

- videos

- photos

- photo


The html folder contains many files including "friends.html," where each friend is listed as a div. I believe normal data, i.e. friends who did not upload address book have the structure:

<div class="friendvcard"><span class="profile fn">[Friend's Full Name]</span></div>

Whereas users who have had their data inadvertently leaked due to Friends who uploaded address books containing their contact data (confusing but I think that's right) have the following structure which contains leaked data:

<div class="friend vcard"><span class="profile fn">[Friend's Full Name]</span><span class="email"> (<a href="mailto:[Friend's email address]">[Friend's email address]</a>)</span></div>

I have three of these entries with email addresses, but am not seeing any phone numbers. Can anyone else corroborate this structure, add how the phone numbers were stored, and verify an example case where a known friend uploaded their contact data matching the leak?

edited for clarity


neoscsi 298 days ago | link

It was 'addressbook.html ' from your extended data download, not the normal data download.


Pxtl 300 days ago | link

So, to clarify: if you downloaded your info, you would also download email addresses and phone numbers that other people thought were yours...that doesn't sound so bad.


discostrings 300 days ago | link

No--it seems that if you downloaded your info, you would also download email addresses and phone numbers of your friends that other people had in their address books, without your friends ever knowing Facebook had that information.


nolok 300 days ago | link

To make it clearer, I don't have a FB account but from what I get from the article:

John add Bob in his friends.

Alice add Bob in her friends, and while crawling her contacts infos (say, on her smartphone), facebook finds a phone number for Bob that Bob himself didn't give.

Facebook remember the phone number on Bob's "shadow" account.

John download his infos, and for his friend Bob he can see the phone number. Bob never gave it to Facebook, never gave it to John. Facebook never told Bob they had it.


Routinism 300 days ago | link

This is exactly what happened. I never entered my phone number into anything Facebook, and today I received an email that referenced an old phone number of mine being inadvertently released. My strong suspicion is that Facebook crawled a friend's phone contact list, and linked my phone number to my name/Facebook profile.

LinkedIn did something equally as shady with their iOS app. I kept the email addresses of people I met on a trip to Europe on my phone, but never communicated with them. After installing the LinkedIn app on my phone, the "People You May Know" section for my account on the website starts recommending these same people that I met in Europe. I had no idea how this happened until the Path controversy started.

I never consented to anyone stealing my information -- whether it's on my phone or someone else's. What if my social security number or credit card number was stored in my or someone else's contacts? No company has the right to steal this information without consent.

I realize Apple eventually locked down access to Contacts but as far as I'm concerned, that was too little, too late. This never should have been "public" for any app to access, and I really don't think this was just an oversight from the company responsible for the fastest-growing ecosystem ever seen. This was not a misstep...they had to realize that this data could and would get out.

Even worse are the companies that stole from phones while knowing full well that what they were doing was wrong, and that they probably had a small window in which to scrape as much data as possible. Scum.


RKoutnik 300 days ago | link

Said bug is known as the Facebook corporate sales team.


spitx 300 days ago | link

I have heard this sentiment echoed by others - several industry insiders included - before.

If this is indeed true that the sales and marketing honchos are exclusively running large tracts of key operations, aren't the resulting missteps going to be deleterious to Mark's record as the chief?

This sentiment was echoed by Dalton Caldwell about Facebook's "M&A" team, last year:

  I am not sure if this bubbled up to you, Mark, but after this all happened I
  directly communicated my feedback regarding just how unhappy I was with this
  situation to one of your executives. The executive apologized and said he would
  take my feedback under consideration.

  Mark, I know for a fact that my experience was not an isolated incident. Several
  other startup founders & Facebook employees have told me that what I experienced
  was part of a systematic M&A “formula”. Your team doesn’t seem to understand 
  that being “good negotiators” vs implying that you will destroy someone’s 
  business built   on your “open platform” are not the same thing. I know all 
  about intimidation-based negotiation tactics: I experienced them for years 
  while dealing with the music industry. Bad-faith negotiations are inexcusable,
  and I didn’t want to believe your   company would stoop this low. My mistake. 
Does Mark maintain control of all of the operations or has he got petty feudal lords running various units and operations?



Edit: Cleanup


eminh 300 days ago | link

I guess I am part of 6 million since I got a message from Facebook regarding this.

The weird part of it is that email address they say to have been exposed is not even part of my facebook profile.


kinofcain 300 days ago | link

Same here, I had three e-mails listed: my personal email I used for Facebook, my @facebook.com email, and a work e-mail that I don't appear to have listed in my profile or settings anywhere and don't recall even giving to Facebook.

Perhaps the "merged" contact information that got leaked included e-mails for you that your acquaintance had that you perhaps never told Facebook about?

EDIT: that would seem to be supported by this line:

"This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool."


eminh 300 days ago | link

Yes, indeed, it says so in the blog post, though not in the email itself.

Basically, it means that facebook has more (much more?) information about me, than they show to me in the profile. Not that I am surprised by that.


pvdm 300 days ago | link

Move fast and break things.


gummydude 300 days ago | link

Forget PRISM, they practically gave away your personal info for free.


yuhong 300 days ago | link

I wonder how much Facebook will reward for this bug?


themonk 300 days ago | link

much less than govt penalties they might end up paying.


olegbl 300 days ago | link

So... People who already had my email/phone in another service were able to get it as part of downloading all their facebook data. Consequently, my email/phone was not disclosed (by Facebook) to anybody who didn't already have it. I don't really see an issue here.


BHSPitMonkey 300 days ago | link

I think you misunderstand; If friend A had information about you in their address book (stuff you didn't have on Facebook) and uploaded their contacts to Facebook, and friends B and C downloaded their Facebook data, it would contain the fields gathered from friend A's address book.


breakyerself 300 days ago | link

Who cares they give it away anyway.


orthecreedence 300 days ago | link

So, Facebook poses a privacy risk to many people who hand it their information freely. In other news, the sun rose again today at the expected time.


Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library