Hacker News new | comments | show | ask | jobs | submit login
Facebook security bug exposed 6 million users' personal information (facebook.com)
141 points by 6thSigma 1611 days ago | hide | past | web | 30 comments | favorite

So it sounds like when people give Facebook access to copy their contact lists / address books from an email account or phone, Facebook tries to match those email addresses and phone numbers to other Facebook accounts. Sometimes, those email addresses and phone numbers aren't already part of the Facebook account they're matched with, but Facebook is pretty confident of the match. So Facebook stores those addresses and numbers as part of the matched account's "shadow profile".

The problem they're reporting here seems to be that when one used the tool to download one's account, the addresses and phone numbers from friends' "shadow profiles" were included.

It makes you wonder what other invisible data is attached to a Facebook profile...

I work at Mailgun and this may explain why when our customers use Facebook as a customer acquisition tool they inevitably end up with a large amount of bad email addresses, leading to a poor email sending reputation or worse.

While I'm not familiar with the information Facebook shares through Facebook Connect, this seems to be a big short coming. You may not be getting the customer's real, current email addresses.

We have to tell people that Facebook is not a reliable way to obtain valid email addresses. The only way to properly do this is to have customers submit their email addresses directly to your own signup form and then validate them with a confirmation link sent to that address (double opt-in).

The issue is that when you use Facebook connect and get the user's email it returns the email originally used to sign up for facebook. Since people signed up years ago, many no longer have that as an active address, which leads to the poor email quality.

Wow - I expect most Facebook users have invalid e-mail addresses if that's the case. Originally, you could only sign up with a college or university e-mail address, and pretty much all of those addresses are now dead because people graduated or left.

What about sending email to <facebook-username>@facebook.com? Then it just ends up in their "Other" box in Facebook messages, but at least (I suspect) it won't bounce.

That is an alternative. Although, we have found they throttle incoming SMTP traffic pretty aggressively. I don't fault them for this - I'm sure they are bombarded by spammers.

Here's an interesting post I came across on the subject: http://www.whatcounts.com/2012/06/what-is-the-deliverability...

They also keep sort of "reverse lookup" information on everyone - basically, what other people have you in their address books.

They keep this information on you even if you are not a Facebook user.

The blog says the fix was made in the DYI tool. That means they would continue to maintain "shadow profiles", but would stop letting others know that FB has a shadow profile on you. Al these blog posts and notification emails are just a PR propaganda to make gullible users believe that FB cares about their privacy.

Just discovered that this post is linked by the CNet article ( http://www.zdnet.com/anger-mounts-after-facebooks-shadow-pro... ). Thought maybe nebula would be interested to know :)

You're mostly right except for one thing:

The extended data download did not include shadow profile data from just your friends. It included shadow profile data from anyone that matched any of your contacts. If zuck@facebook.com was one of your contacts, you would have retrieved all of his data.

This could have been used as a very targeted malicious data mining tool. It probably was.

This blog post does not identify exactly where the leaked data is.

I have an DYI export of my account from 3/26/13 and am trying to determine where the data is. Can anyone help?

DYI's have the following directory structure:

last name

- html

- videos

- photos

- photo


The html folder contains many files including "friends.html," where each friend is listed as a div. I believe normal data, i.e. friends who did not upload address book have the structure:

<div class="friendvcard"><span class="profile fn">[Friend's Full Name]</span></div>

Whereas users who have had their data inadvertently leaked due to Friends who uploaded address books containing their contact data (confusing but I think that's right) have the following structure which contains leaked data:

<div class="friend vcard"><span class="profile fn">[Friend's Full Name]</span><span class="email"> (<a href="mailto:[Friend's email address]">[Friend's email address]</a>)</span></div>

I have three of these entries with email addresses, but am not seeing any phone numbers. Can anyone else corroborate this structure, add how the phone numbers were stored, and verify an example case where a known friend uploaded their contact data matching the leak?

edited for clarity

It was 'addressbook.html ' from your extended data download, not the normal data download.

I guess I am part of 6 million since I got a message from Facebook regarding this.

The weird part of it is that email address they say to have been exposed is not even part of my facebook profile.

Same here, I had three e-mails listed: my personal email I used for Facebook, my @facebook.com email, and a work e-mail that I don't appear to have listed in my profile or settings anywhere and don't recall even giving to Facebook.

Perhaps the "merged" contact information that got leaked included e-mails for you that your acquaintance had that you perhaps never told Facebook about?

EDIT: that would seem to be supported by this line:

"This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool."

Yes, indeed, it says so in the blog post, though not in the email itself.

Basically, it means that facebook has more (much more?) information about me, than they show to me in the profile. Not that I am surprised by that.

So, to clarify: if you downloaded your info, you would also download email addresses and phone numbers that other people thought were yours...that doesn't sound so bad.

No--it seems that if you downloaded your info, you would also download email addresses and phone numbers of your friends that other people had in their address books, without your friends ever knowing Facebook had that information.

To make it clearer, I don't have a FB account but from what I get from the article:

John add Bob in his friends.

Alice add Bob in her friends, and while crawling her contacts infos (say, on her smartphone), facebook finds a phone number for Bob that Bob himself didn't give.

Facebook remember the phone number on Bob's "shadow" account.

John download his infos, and for his friend Bob he can see the phone number. Bob never gave it to Facebook, never gave it to John. Facebook never told Bob they had it.

This is exactly what happened. I never entered my phone number into anything Facebook, and today I received an email that referenced an old phone number of mine being inadvertently released. My strong suspicion is that Facebook crawled a friend's phone contact list, and linked my phone number to my name/Facebook profile.

LinkedIn did something equally as shady with their iOS app. I kept the email addresses of people I met on a trip to Europe on my phone, but never communicated with them. After installing the LinkedIn app on my phone, the "People You May Know" section for my account on the website starts recommending these same people that I met in Europe. I had no idea how this happened until the Path controversy started.

I never consented to anyone stealing my information -- whether it's on my phone or someone else's. What if my social security number or credit card number was stored in my or someone else's contacts? No company has the right to steal this information without consent.

I realize Apple eventually locked down access to Contacts but as far as I'm concerned, that was too little, too late. This never should have been "public" for any app to access, and I really don't think this was just an oversight from the company responsible for the fastest-growing ecosystem ever seen. This was not a misstep...they had to realize that this data could and would get out.

Even worse are the companies that stole from phones while knowing full well that what they were doing was wrong, and that they probably had a small window in which to scrape as much data as possible. Scum.

Move fast and break things.

Said bug is known as the Facebook corporate sales team.

I have heard this sentiment echoed by others - several industry insiders included - before.

If this is indeed true that the sales and marketing honchos are exclusively running large tracts of key operations, aren't the resulting missteps going to be deleterious to Mark's record as the chief?

This sentiment was echoed by Dalton Caldwell about Facebook's "M&A" team, last year:

  I am not sure if this bubbled up to you, Mark, but after this all happened I
  directly communicated my feedback regarding just how unhappy I was with this
  situation to one of your executives. The executive apologized and said he would
  take my feedback under consideration.

  Mark, I know for a fact that my experience was not an isolated incident. Several
  other startup founders & Facebook employees have told me that what I experienced
  was part of a systematic M&A “formula”. Your team doesn’t seem to understand 
  that being “good negotiators” vs implying that you will destroy someone’s 
  business built   on your “open platform” are not the same thing. I know all 
  about intimidation-based negotiation tactics: I experienced them for years 
  while dealing with the music industry. Bad-faith negotiations are inexcusable,
  and I didn’t want to believe your   company would stoop this low. My mistake. 
Does Mark maintain control of all of the operations or has he got petty feudal lords running various units and operations?



Edit: Cleanup

So... People who already had my email/phone in another service were able to get it as part of downloading all their facebook data. Consequently, my email/phone was not disclosed (by Facebook) to anybody who didn't already have it. I don't really see an issue here.

I think you misunderstand; If friend A had information about you in their address book (stuff you didn't have on Facebook) and uploaded their contacts to Facebook, and friends B and C downloaded their Facebook data, it would contain the fields gathered from friend A's address book.

Forget PRISM, they practically gave away your personal info for free.

I wonder how much Facebook will reward for this bug?

much less than govt penalties they might end up paying.

Who cares they give it away anyway.

So, Facebook poses a privacy risk to many people who hand it their information freely. In other news, the sun rose again today at the expected time.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact