Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Confirms Data Breach

Posted by timothy on from the you-like-this dept.

another random user writes "A researcher by the name of Suriya Prakash has claimed that the majority of phone numbers on Facebook are not safe. It's not clear where he got his numbers from (he says 98 percent, while another time he says 500 million out of Facebook's 600 million mobile users), but his demonstration certainly showed he could collect countless phone numbers and their corresponding Facebook names with very little effort. Facebook has confirmed that it limited Prakash's activity but it's unclear how long it took to do so. Prakash disagrees with when Facebook says his activity was curtailed." Update: 10/11 17:47 GMT by T : Fred Wolens of Facebook says this isn't an exploit at all, writing "The ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page. Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked." Update: 10/11 20:25 GMT by T : Suriya Prakash writes with one more note: "Yes, it is a feature of FB and not a bug.but FB never managed to block me; the vul was in m.facebook.com. Read my original post. Many other security researchers also confirmed the existence of this bug; FB did not fix it until all the media coverage." Some of the issue is no doubt semantic; if you have a Facebook account that shows your number, though, you can decide how much you care about the degree to which the data is visible or findable.

34 of 155 comments (clear)

  1. Phonebook by Nerdfest · · Score: 4, Insightful

    A friend sent me an email a couple of years ago saying "Did you know that you have your phone number on FaceBook?". I said "Yes, I also have it in the phonebook".

    1. Re:Phonebook by bondsbw · · Score: 4, Insightful

      Actually, I just looked and noticed that Facebook has my phone number. I don't remember ever giving it to them, since I specifically don't want them sending me text messages (I don't have a texting plan and each text is a charge).

      When I click to remove it, it says "You will no longer be able to use this phone to receive notifications or upload any photos and videos to Facebook."

      Perhaps they got my number because I installed the app on my phone? I just don't remember explicitly giving it to them.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    2. Re:Phonebook by Anonymous Coward · · Score: 5, Funny

      Phonebook? Is that like an e-book on your phone?

    3. Re:Phonebook by Crayon+Kid · · Score: 4, Interesting

      You probably don't remember this, but when you first started using the Facebook application on your phone you had to confirm your phone number. You probably got a text with a code you had to enter or something like that.

      You can remove the number, as you noticed, but I'd be really skeptical whether they actually remove it. I suspect they don't, since it's a great way of tracking people across multiple accounts. As you experienced yourself, people often forget that they made Facebook aware of their personal phone number at some point in time.

      Consider for example the case of someone who becomes more privacy-aware, closes their initial FB account then later opens another when where he is more guarded about who he friends and what he publishes. And he thinks he's leaving less of an online footprint... when in reality I bet FB is tying it all in with his previous account.

      --
      i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
    4. Re:Phonebook by Thruen · · Score: 5, Insightful

      The phone book doesn't have my cell phone number, or most other peoples' cell phone numbers, but that is what Facebook has most of the time. The phone book doesn't have photos of me, my friends, and my family so as to positively identify me from anyone else in the world who might share my (relatively common) name. The phone book doesn't not allow me to find people by interest so I can find people to call and sell my products to. The phone book requires you to know pretty specifically who you are looking for in order to find them without using the trial and error method. Oh, and lastly, you know the phone book is going to list your number unless you do something about it, and many people choose not to have their number listed, Facebook was never supposed to list your number and so people gave it to them expecting it to remain private. So, while you might not care that Facebook decided to show your number, plenty of people would be bothered by it. It isn't the end of the world or anything, but to downplay it and equate it to having your number in the phone book is a just a bit crazy. Oh, and a point I nearly forgot, lots of teenagers have their cell phone numbers in their Facebook accounts, and without tackling why they shouldn't to begin with, those numbers should definitely not be available publicly.

    5. Re:Phonebook by Thruen · · Score: 2

      Personally, I'm not bitching, Facebook doesn't have anything of mine I need kept private. They have my name, and some pictures I wanted to share with family and friends, none of which even include any people. I keep it simple partly because I don't trust Facebook, mostly because I don't use it often and don't care to. Facebook is an optional service, sure, you don't need it at all, but as much as I used to hate on it, it does provide a number of benefits for people who want to use it. You can tell people they shouldn't share so much and that's all well and good, but you shouldn't have to avoid services like Facebook because you can't trust them, it should piss people off when things like this happen. Any time you use a service and it doesn't operate as they claim it should, you should be pissed off. Like I said above, you can avoid all of your computer-related woes by staying off the computer, but you really shouldn't have to.

    6. Re:Phonebook by Dishevel · · Score: 2

      Facebook is different.
      We know the privacy is a joke. We know that if we set stuff private that in the next "enhancement" all of it will be moved and reset back to everything public.
      They do it every time. There is no reason to believe that your data will be or ever has been protected.
      Facebook is working as intended. You can not get mad at a stove for getting hot.
      You can not get mad at Facebook for making all your shit public.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
  2. So? by backslashdot · · Score: 4, Insightful

    Remember phone books? It used to be possible to match people with not only their phone number but their home address too.

  3. Facebook is by kiriath · · Score: 2

    One giant privacy breach anyway. I mean seriously, they churn your personal lives into gold.

    Not much right now, but SOMEDAY they will churn your personal lives into gold.

  4. "not safe"? by 1u3hr · · Score: 3, Insightful
    How is a phone number "not safe"?

    Its a new one on me to have an infected phone number. I guess they mean "not secret".

    And who cares? Ever heard of phone directories? You can find millions of phone numbers in there. Including mine. Phone spammers have lists anyway or just have dialers that try every number in a range till one answers.

  5. Need a Survey / Cognitive Risk by retroworks · · Score: 4, Interesting

    It would be really interesting, as a kind of control group, to ask a statistically represented sample of people how alarmed they are, on the basis of 1-10, about the following: 1) Their name is in the phone book, 2) The government has their Social Security Number, 3) Their face is recognizable by the bank ATM camera, 4) their neighbor has a X% chance of receiving their mail in the wrong mailbox. Throw in the word "breach" and watch the fur fly.

    --
    Gently reply
    1. Re:Need a Survey / Cognitive Risk by Minwee · · Score: 4, Funny

      Then you'd be surprised at how many databases your groin has been in.

  6. One teensy weensy difference... by Viol8 · · Score: 5, Interesting

    Phonebooks were generally only easily available in the area you lived in and not accessable by Vlad in Minsk who wants to collect as much data as he can on you to impersonate you to a bank. Not only that , but once data is on a computer a lot of things can be automated. When its in barely readable type in a large book its a bit more effort.

    1. Re:One teensy weensy difference... by Anonymous Coward · · Score: 3, Insightful

      I remember in the mid 80s buying entire united states phonebooks on disks...

      In the 90s it was a giveaway with many computers on a CD.

    2. Re:One teensy weensy difference... by Minwee · · Score: 5, Informative

      It's a good thing there are no phone books on the Internet, isn't it?

    3. Re:One teensy weensy difference... by Crayon+Kid · · Score: 2

      Phonebooks were generally only easily available in the area you lived in and not accessable by Vlad in Minsk who wants to collect as much data as he can on you to impersonate you to a bank. Not only that , but once data is on a computer a lot of things can be automated.

      So if I get this right, your solution to the fact that the US has a major identity theft problem is "would everybody be so kind and ignore it", or perhaps "bad guys, please don't use computers"? I'm afraid it may not work very well.

      I'm not even sure what's with the American paranoia against unique ID cards. It's not like not having them grants you any anonimity. If anybody (including your .gov) wants to find stuff out about you, they do. You already have unique social numbers, so all the worse parts of being uniquely identifiable in a centralized database are already happening. You're just missing out on all the good parts, such as limiting identity theft, or a comprehensive civil registry. I mean, it's ridiculous that in the US you can't really prove you've never been married.

      --
      i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
    4. Re:One teensy weensy difference... by Tastecicles · · Score: 2

      don't know about that situation but the main library in my city (Nottingham) has always (to my recollection anyway) had a section aside exclusively for phone directories, both Yellow Pages and the domestic phone book, for the entire UK.

      --
      Operation Guillotine is in effect.
  7. Anecdote Time! by eldavojohn · · Score: 5, Interesting

    Remember phone books? It used to be possible to match people with not only their phone number but their home address too.

    Ah, yes! And let me tell you a story about that! I used to have a very common name. So common that according to the latest census there are 40,000 of me walking around the United States (first and last name). I have met myself (first, middle and last) four times and the second time I met myself I was 19 and he was 20 and he said to me: "Don't you ever let your name be published in the phone book" (as advice from one being raised in a major metropolis and I being raised in a very small town) and then went on to describe at length how, when he turned 18, he started receiving odd phone calls from credit card companies demanding he pay up tens of thousands of debt. After months of harassment, he finally got it all straightened out with one of the credit bureaus who then basically had to show the credit card companies that his records and the records of the real person they were looking for were completely different. The other odd thing was that the address the credit card companies had on file had the same exact abbreviations as his address in the phone book and the person had "moved" to that address right when my friend turned 18 and had his name put in the phone book.

    Is it a common problem? Maybe not ... but I'd just as well keep as much of my life private as possible ... to avoid whatever creative scofflaw there might be out there.

    --
    My work here is dung.
    1. Re:Anecdote Time! by SIR_Taco · · Score: 4, Funny

      ...

      I used to have a very common name. So common that according to the latest census there are 40,000 of me walking around the United States (first and last name). I have met myself (first, middle and last) four times and the second time I met myself I was 19

      ...

      John Jacob Jingleheimer Schmidt? That's my name, too!

      --
      I say don't drink and drive, you might spill your drink. Before you get behind the wheel just stop and think.
    2. Re:Anecdote Time! by Tastecicles · · Score: 2

      Hi Joey's friend, he says you owe him five Bucks and he wants it by Friday or he's sending his "friend" the Thumb Collector.

      --
      Operation Guillotine is in effect.
  8. What Do You Mean by "Data Breach" by Anonymous Coward · · Score: 5, Insightful

    The *only* difference between a "data breach" and their normal business model is that Facebook didn't get paid.

    1. Re:What Do You Mean by "Data Breach" by IamTheRealMike · · Score: 3

      I suspect this boils down to inadequate controls on data scraping, ie an API that's meant to surface data for an interactive UI can be scripted to enumerate every possible user and they don't have any automated controls on it.

  9. Aren't there editors that review submissions? by Ericular · · Score: 2

    "Facebook has confirmed that it limited the Prakash's activity". -- What is "the Prakash"?

    "Prakash disagrees with when Facebook says". -- That phrasing doesn't feel right to me either.

  10. misleading by tero · · Score: 5, Insightful

    So this is not about breaching phone numbers data that are set to private. This is about finding publicly published phone numbers through the normal search.

    Meh. Phonebooks didn't even have privacy policies back in the day.

    A more valid complaint might have been the ever changing default settings and user interface "improvements" which make finding the said settings very hard.

    But even then, this is not really post-worthy.

  11. I just refused to install the Facebook app by bdwoolman · · Score: 4, Informative

    I grudgingly use Facebook (Forcebook, Farcebook, Facebroke, Facebork) because so many of my real friends from overseas postings here and there can be found on it. They move around, too, and, well, it just makes sense.. My Android phone just offered me the opportunity to install the FB app when I checked an email message from Facebook -- A friend request from a German pal of mine from my days in Armenia (See?) He's in Uraguay it seems. Well, when I was ready to do the install I read the permissions list.Holy privacy invasion, Batman! It was going to do all the crap I painstakingly don't let the creepy site do on my web browser (it is a battle). And then it was going track my location to boot.

    Bondsbw, you so gave them permission to have your phone when you installed that app. Moreover, you also gave them permission to marry your firstborn child off to the evil sorcerer Zuck when he or she comes of age. (The sorcerer swings both ways.) Oh, I forgot F*ckedbook.

    --
    "No fear. No envy. No meanness." Liam Clancy
    1. Re:I just refused to install the Facebook app by Anonymous Coward · · Score: 2, Funny

      Oh, I forgot F*ckedbook.

      you don't have to have ex girlfriends on facebook

    2. Re:I just refused to install the Facebook app by FreonTrip · · Score: 2

      I was always partial to "Fartbeak," myself, mostly because I wonder what the mascot would look like.

  12. Safegaurding anonymity by Picass0 · · Score: 2, Informative

    I hope I don't sound trollish, but it is ultimate your responsibility to safegaurd information you don't want passed around. Reliance on Facebook to safegaurd your stuff implies they care about a few phone numbers, or private photos, or whatever. They don't. They'll write some form letter to everyone and apologize and then go back to fretting about their stock price.

    At Facebook you the product for sale. As long as you keep coming back they don't have a problem.

    1. Re:Safegaurding anonymity by Picass0 · · Score: 2

      I did not hand out personal information when I created my /. account all those years ago. I can express every opinion I want on Slashdot without handing over my blood type.

      The problem in your logic is it assumes a person needs a facebook account (or like service). What do Myspace, Google+ and Facebook all have in common? I don't have user accounts on any of them.

      I belong to several discussion forums where I post at almost daily. None of them have my real name, phone number, pictures of me or my kids...

      I don't want online identities regulated. One more goverment oversight that can be easily abused.

    2. Re:Safegaurding anonymity by Thruen · · Score: 2

      They're not the only service you give your information to, they're just the ones that you don't use. I don't have a MasterCard, so if they release all of their customers' information I should think "They're stupid for using MasterCard!" You can argue that they're optional all you want, but so are credit cards, cable, and the internet you use to find said discussion forums. There's no reason to sit there and say it's the users' fault for using a service, that's completely ridiculous. Any time a service, even if it's optional, handles your personal information, they should be held to a certain standard. Calling it the regulation of online identities is a silly way of making it sound like the government would be controlling our online lives, when really all we need is for them to say if a service can't keep to it's word they pay a big-ass fine based on their revenue.

  13. Re:Visit from the FBI by SecurityGuy · · Score: 2

    That's hilarious. I suppose the real criminal NEVER would have signed paperwork swearing he wasn't the real criminal.

  14. Confirmed: works for private numbers by Anonymous Coward · · Score: 2, Interesting

    I verified that my mobile number is set to be visible to myself only. I then used a fake facebook account that I keep around, and searched for my phone number. Sure enough, my account showed up. If I try to remove it, I'm informed that I will no longer be able to use that phone to do anything with Facebook. I removed it anyway, and so far, Facebook is still returning my account when I search for my cell number.

  15. Yes, let's put a billion eggs into this basket by sootman · · Score: 4, Informative

    Businessweek: What's possible at a billion-plus users that wasn't possible at, say, 500 million?

    Mark Zuckerberg: There are two ways that I look at this. There's what we can build internally and then there's what can be built externally using Facebook. I'll start with the external stuff... when we were at half a billion people, you got these large-scale services like Skype or Netflix (NFLX) that also had big user bases. And we weren't yet at the point where the majority of their users were Facebook users, so they couldn't really rely on us as a piece of critical infrastructure for registration. A lot of startups did, but the bigger companies couldn't. Now really everyone can start to rely on us as infrastructure.

    http://www.businessweek.com/printer/articles/74456-facebooks-next-billion-a-q-and-a-with-mark-zuckerberg

    The problem isn't that the data exists. (As others are pointing out with phonebook analogies.) The problem is that the data--your data--isn't safe. Not that it's totally safe anywhere, but FB seems to have had more than their share of problems.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  16. Simple answer: by Tastecicles · · Score: 2

    Remove your number from Facebook listings (easy done) and write the administrators with a tort-actionable letter stating they have seven days to remove it from their database (not so easy; you will have to be prepared to take it to small claims court to action the tort, which in the UK is £5000 so make the option a claim for £4999.90. If you do end up taking a claim, you will likely get a summary judgment in favour since you made a legal request to a company, who are very unlikely to send a representative to challenge it. International borders be damned, they do not exist; when a company trades in the UK they play by UK rules or they fuck off.

    --
    Operation Guillotine is in effect.