Slashdot Mirror

← Back to Stories (view on slashdot.org)

100 Million Facebook Pages Leaked On Torrent Site

Posted by CmdrTaco on from the so-many-pokes dept.

Stoobalou writes "A directory containing personal details about more than 100 million Facebook users has surfaced on an Internet file-sharing site. The 2.8GB torrent was compiled by hacker Ron Bowes of Skull Security, who created a web crawler program that harvested data on users contained in Facebook's open access directory, which lists all users who haven't bothered to change their privacy settings to make their pages unavailable to search engines."

29 of 163 comments (clear)

  1. FTFA by EricWright · · Score: 3, Insightful

    perhaps the existence of a stalker's online black book might finally persuade less security-minded Facebook users to get their arses in gear.

    More likely it will precipitate a lawsuit. Why fix the problem when you can sue the pants off someone instead?

    1. Re:FTFA by TubeSteak · · Score: 5, Informative

      More likely it will precipitate a lawsuit. Why fix the problem when you can sue the pants off someone instead?

      Sue for what? Violating Facebook's ToS?

      I'm surprised TFA didn't link to the guy's blog. He has a good writeup there
      http://www.skullsecurity.org/blog/?p=887

      The Torrent: http://www.skullsecurity.org/blogdata/fbdata.torrent

      --
      [Fuck Beta]
      o0t!
    2. Re:FTFA by Anonymous Coward · · Score: 5, Insightful

      In this case I think it is a more of a matter of 'yeah so?'. I put my information on that website *SO* I could be found. Everyone else who links to me is doing the *EXACT SAME THING*. The whole point of this site as sold is to link you to your friends and family. Thats it. How do you find people? Oh yeah you search for them.

      The usual internet problems exist. Do not put up there what you do not want other to know.

      I am sure there are dozens of ways to abuse the information that is up there. But guess what *YOU HAVE DECIDED* to put it up there...

      That you expect some sort of privacy from an application that by its nature is about being open and sharing whatever stupid thing you are doing is backwards.

      If you do not want to be found facebook is not the place to be. It shares everything no matter what your 'settings' are. You have by its nature shared with at least 2 parties. Your friends and facebook. If you want to keep a secret you do not tell people who are known to tell others.

    3. Re:FTFA by timeOday · · Score: 4, Interesting

      The usual internet problems exist. Do not put up there what you do not want other to know.

      I am sure there are dozens of ways to abuse the information that is up there. But guess what *YOU HAVE DECIDED* to put it up there...

      The problem is that's not true. It is becoming increasingly easy to correlate all the information others have incidentally posted about you, and put together a pretty good picture of you, even if you personally have posted nothing at all.

      I have no facebook account. Yet yesterday I got an email facebook invite from somebody I've never heard of, and it said "here are 9 other friends of this person you may know." I *do* know 7 of the 9, through different business dealings that have nothing to do with each other. They're sure not people who "friended" me, since we don't have that kind of relationship. It's creepy.

  2. Re:Well by Gi0 · · Score: 4, Informative

    No. This torrent contains: * The URL of every searchable Facebook user's profile * The name of every searchable Facebook user, both unique and by count (perfect for post-processing, datamining, etc) * Processed lists, including first names with count, last names with count, potential usernames with count, etc * The programs I used to generate everything

    --
    There's no patch for stupidity
  3. torrent by digitalsushi · · Score: 3, Informative

    http://www.skullsecurity.org/blogdata/fbdata.torrent

    --
    slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
  4. Leaked? by ikarous · · Score: 5, Insightful

    Misleading headline is misleading. These public profiles haven't been leaked. They've simply been aggregated.

    1. Re:Leaked? by jeffmeden · · Score: 5, Insightful

      They might as well have said "millions of home telephone numbers LEAKED via paper-based archive deposited randomly on doorsteps ALL ACROSS TEH COUNTRY!!!"

      Worthless headline; it should read "Facebook name and URL database created from already public information, nothing to see here, move along"

    2. Re:Leaked? by ikarous · · Score: 4, Funny

      Fucking stupid sentences are fucking stupid.

      This isn't 4chan, take your meme shit back to the pedophile hole where it (and inevitably, you) belong.

      I have attempted to do as you suggest, but I'm afraid I've been unable to locate either feces of meme or a perforated pedophile. Nevertheless, I appreciate your advice.

    3. Re:Leaked? by ElectricTurtle · · Score: 4, Insightful

      You, sir, have written the only thing that need be said in this discussion. Congratulations are in order.

      --
      I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
  5. Re:Well by Jedi+Alec · · Score: 3, Insightful

    It's 2.8 gigs as it is, imagine how big it would get if 100 million pics were added to it ;-)

    --

    People replying to my sig annoy me. That's why I change it all the time.
  6. No, It's Just a List by eldavojohn · · Score: 5, Informative
    If you go to the originator, here's all it contains:

    This torrent contains:

    * The URL of every searchable Facebook user's profile
    * The name of every searchable Facebook user, both unique and by count (perfect for post-processing, datamining, etc)
    * Processed lists, including first names with count, last names with count, potential usernames with count, etc
    * The programs I used to generate everything

    You're going to get a URL to pages. If the user has since made them inaccessible, you'll only get what you can from their public profile. Like, you cannot get to my friends list from my public profile. You'll get "potential" usernames to log into Facebook. Big deal. Remember when everyone could make a username for Facebook and that was also their profile URL? Well, now you can guess the most common names and add them to this list like david. Then you could use ncrack or whatever.

    Not a whole lot in this file. Not like he scraped the pages of data and put that in a csv file for research or anything really interesting.

    --
    My work here is dung.
  7. Okay, so... by Revotron · · Score: 4, Insightful

    This guy wrote a script to crawl Facebook and download everything he could. So? Nothing is revealed here that we couldn't find manually ourselves by just looking at a person of interest's profile.

    This story is about a glorified crawler. No actual hacking transpired. No personal information that wasn't already revealed has been revealed. This is not news. In fact, I had to go back to TFS and double-check that kdawson wasn't the editor - that's how terrible this story really is.

    1. Re:Okay, so... by John+Hasler · · Score: 3, Insightful

      > Until this data dump, the only people doing data mining were Facebook &
      > their partners.

      Do you seriously believe that no one has ever written such a script before?

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  8. Where's the Pr0n? by ArcherB · · Score: 5, Insightful

    Would someone create a list that only contains public profiles with NSFW images?

    Thanx

    --
    There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
  9. Re:Security Research by bsDaemon · · Score: 3, Insightful

    I doubt there is a significant overlap between the people who follow computer security and online privacy issues and the people who still leave their Facebook profiles open for search indexing. I would venture a guess that most of the people harvested will never know, or care. I mean, after all, it doesn't even really sound like this guy did anything more than Google already did anyway.

  10. Sensational...ism by RobM9999 · · Score: 5, Informative

    Sensationalism - A manner of over-hyping events, being deliberately controversial, loud, self centred or acting to obtain attention. It is also a form of theatre.

    Yep, that's pretty much it.

    Just because he found the super-secret directory, http://www.facebook.com/directory/ and wrote a program that would read it. Of all the evil, nefarious things to do.

  11. Re:And now more people will know about it by causality · · Score: 5, Insightful

    and get more information from those people. You stay classy slashdot.

    Rest assured that the blackhats who want this information already know about it. As another user suggested, one potential abuse of this information would be to choose targets for social engineering attacks. But those who would exploit it did not just now hear about it. If anything it's the public that is often left behind.

    If you don't want to see that reality then we cannot have a conversation about this. If you can see that reality, then I have one question for you: how do you propose we solve the bigger problem of raising awareness of the dangers and misuses of such databases without some publicity? The users who least understand how these things can be abused are generally the ones who are most actively making their personal information publically available. Everyone else either doesn't share the need for personal exhibition, uses false data, or takes a deliberate and calculated risk with any real data made available.

    While I think it's an empty vanity personally, I'm not against someone making a public exhibit of themselves if that's what they wish to do. What I would like to see, however, is for those people to do this with a full awareness of how it could be used against them. The deck is somewhat stacked against them because the black hats thoroughly study how to misuse information, whereas the average user just wants to communicate with friends. That can change, and it really should.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  12. News flash: 400 million user profile pages leaked! by thePowerOfGrayskull · · Score: 3, Insightful

    News flash: 400 million user profile pages can be found online at facebook.com.

  13. Your Anger May Be Misdirected by eldavojohn · · Score: 4, Insightful

    I'll bet there are about 100 million people who would like to test the security of Ron Bowes' nuts against a swift kick. I mean, he should be aware of the Extreme Pain vulnerability by now, and he should have taken the most basic security precautions by now, like wearing a cup. If not, well, he deserves what he gets, right?

    +5 Insightful? Why is it that we regard Tavis Ormandy as someone trying to expose the insecurity of Microsoft when he releases a how-to exploit Windows hack but when a security researcher attempts to reveal how insecure Facebook's "Directory" service can be we attack him as the creator of that service and not Facebook?

    I believe your anger would be better directed at Facebook. After all, this is posted in his blog for the world to see while a malware author could have just taken this list and run ncrack on it without anyone knowing.

    I would also like to point out that, as mentioned many times in this thread, this is just a list. Not even real names but just usernames of people on Facebook. That means that if you find your username on this list, you can restrict your settings so that no one can see your public profile. Then if someone uses this URL list to look you up they get nothing.

    So a security researcher tries to wake up Facebook users and he's the guy you want to kick in the nuts? Very curious.

    --
    My work here is dung.
    1. Re:Your Anger May Be Misdirected by John+Hasler · · Score: 4, Insightful

      > I believe your anger would be better directed at Facebook.

      Why is there any need for anger at all? These users made their pages public. This guy created a list of public Facebook pages. So what?

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  14. Re:Security Research by gstoddart · · Score: 3, Insightful

    I'll bet there are about 100 million people who would like to test the security of Ron Bowes' nuts against a swift kick.

    Purely playing Devil's advocate here ....

    So, Facebook made this stuff public by default. The individual users didn't change their settings to make it private (either they didn't know, or didn't care). This guy collects all of the information which is open to him, and publishes it.

    I'm not saying I agree with scraping all of this information, but I place much more of the blame on Facebook for their shitty privacy policies and making a change to the data which made it public by default.

    This is a logical conclusion of having that much information public by default. It's scary to get that information on 170 million people, but, as TFA points out, this is hardly illegal.

    I'm sure Facebook will say this is a good thing, and that those users wanted that information made available since that seems to be their default position on security and privacy.

    --
    Lost at C:>. Found at C.
  15. Re:And now more people will know about it by causality · · Score: 4, Interesting

    and get more information from those people. You stay classy slashdot.

    I'm not crazy about making a second reply to this one post but I wanted this to be said.

    I have some disagreement with this being modded -1 Flamebait. I don't think his intention was to start a flamewar, though I admit that's possible and an AC has already responded that way. Still, this is a genuinely held sentiment. A lot of people really do feel this way. It's as though they think that not talking about this problem and not making such information available will make it go away. That amounts to burying one's head in the sand.

    I'd rather call it out and explain why this is false and shortsighted than bury the comment under negative moderations. Making the comment disappear for all users who are not browsing at -1 will surely reduce the audience of that one comment. What it won't do is persuade others who mistakenly feel the same way. So I don't think this is Flamebait. I think this is a false perception that can be corrected with a true perception.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  16. Re:And now more people will know about it by Mark+Hood · · Score: 3, Interesting

    and get more information from those people. You stay classy slashdot.

    Rest assured that the blackhats who want this information already know about it.

    I agree - and while it's good that more people know about this so they can protect themselves, it wasn't the case that every black hat knew about this already - there'll be a load of script kiddies giving it a go now, so the chances of getting hacked went up.

    That said, the people who had a genuine malicious intent were more than likely doing this behind the scenes, while the 'kiddies' tend to go for vandalism and defacement. I'd rather that if I got hacked, it just said 'ask me about teh spam' on my wall, than it silently installed a data-tracking app or something...

    But really, what's the issue here? That someone went to the trouble of scraping every public name and profile off the site, or that it wasn't Google?

    Mark

    PS Why doesn't Chrome recognise Google as a properly spelled word?

    --
    Liked this comment? Why not buy me something nice
  17. How is this a leak? by EmagGeek · · Score: 3, Interesting

    How is it a leak if all of these pages are available publicly anyway?

  18. NOT A LEAK, title is -as usual- stupid by xmousex · · Score: 3, Informative

    A leak is something that happens when previously hidden information is then made publicly available by someone on the inside.

    The information here is available to anyone that wants it, someone just spent some time compiling the data, who had no affiliation with facebook.

  19. What about: by phyrexianshaw.ca · · Score: 4, Interesting

    What about those of us who CHOOSE to make their profile completely public and full of information about themselves?

  20. Re:How do you "leak" public information? by twoshortplanks · · Score: 3, Funny

    I saw that excellent security documentary with Steve Martin about the dangers of being listed in the phone book.

    That wasn't Steve Martin, that was Arnold Schwarzenegger. If I remember correctly it wasn't just a pain for Linda Hamilton, but her roommate and date had an even worse time of too.

    --
    -- Sorry, I can't think of anything funny to say here.
  21. Re:100 Million Sensational Slashdot Headlines! by ferd_farkle · · Score: 3, Funny

    The other day, I used a wrong option for wget and downloaded the internet. Maybe I should post it on an Internet file-sharing site.