Facebook Bug Exposed 6 Million Users

← Back to Stories (view on slashdot.org)

Facebook Bug Exposed 6 Million Users

Posted by Soulskill on Saturday June 22, 2013 @01:25AM from the just-a-handful dept.

jamaicaplain sends this quote from the NY Times: "Facebook has inadvertently exposed six million users' phone numbers and e-mail addresses to unauthorized viewers over the last year, the company said late Friday. Facebook blamed the data leaks, which began in 2012, on a technical flaw in its huge archive of contact information collected from its 1.1 billion users worldwide. As a result of the problem, Facebook users who downloaded contact data for their list of friends obtained additional information that they were not supposed to have. Facebook's security team was alerted to the problem last week and fixed it within 24 hours. But Facebook did not publicly acknowledge the flaw until Friday afternoon, when it published a message on its blog explaining the situation."

53 of 75 comments (clear)

Min score:

Reason:

Sort:

The bug was by Anonymous Coward · 2013-06-22 01:27 · Score: 2, Insightful

That it didn't expose them to advertisers.
1. Re:The bug was by ozmanjusri · 2013-06-22 21:45 · Score: 1
  
  Very little doubt about that.
  
  About a year after Facebook reportedly joined PRISM, Max Kelly, the social network's chief security officer left for a job at the National Security Agency,
  http://www.theatlanticwire.com/technology/2013/06/facebooks-former-security-chief-now-works-nsa/66432/
  
  --
  "I've got more toys than Teruhisa Kitahara."
They have to fix it fast. by 140Mandak262Jamuna · 2013-06-22 01:36 · Score: 4, Insightful

This highly confidential data is very valuable thing and the most important thing Facebook is selling to its "partners". Leaking this information for free without collecting revenue is highly detrimental to the company. They have since fixed the problem, it is all well and good. You now have to become a "partner" and pay the required fees to Facebook to get such confidential data.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:They have to fix it fast. by swillden · 2013-06-22 03:10 · Score: 4, Informative
  
  I feel funny defending Facebook, but unless they're blatantly violating their own published privacy policy, they don't sell personally-identifiable information to others. While it's possible they're intentionally violating their policy, I think that's unlikely.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
2. Re:They have to fix it fast. by PolygamousRanchKid+ · 2013-06-22 03:43 · Score: 4, Insightful
  
  I feel funny defending Facebook, but unless they're blatantly violating their own published privacy policy, they don't sell personally-identifiable information to others. While it's possible they're intentionally violating their policy, I think that's unlikely.
  I feel funny defending the NSA, but unless they're blatantly violating their own published privacy policy, they don't spy on US citizens. While it's possible they're intentionally violating their policy, I think that's unlikely.
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
3. Re:They have to fix it fast. by swillden · 2013-06-22 04:07 · Score: 1
  
  I feel funny defending Facebook, but unless they're blatantly violating their own published privacy policy, they don't sell personally-identifiable information to others. While it's possible they're intentionally violating their policy, I think that's unlikely.
  I feel funny defending the NSA, but unless they're blatantly violating their own published privacy policy, they don't spy on US citizens. While it's possible they're intentionally violating their policy, I think that's unlikely.
  Absent evidence to the contrary -- which we now possess -- I would agree. The thing about large-scale deceptions is that they tend to get outed. That applies both to government and private industry.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re:They have to fix it fast. by girlintraining · 2013-06-22 04:15 · Score: 1
  
  In Canada at least, Tor is awful. Because others can use your connection as well, if someone looks at child porn from behind your connection, you are guilty of distribution.
  ...Says the dude on the internet that apparently didn't read the note above the "Allow" button when he signed up for Farmville.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
5. Re:They have to fix it fast. by girlintraining · 2013-06-22 04:22 · Score: 1
  
  I feel funny defending Facebook, but unless they're blatantly violating their own published privacy policy, they don't sell personally-identifiable information to others. While it's possible they're intentionally violating their policy, I think that's unlikely.
  ...Says the dude on the internet that apparently didn't read the note above the "Allow" button when he signed up for Farmville.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
6. Re:They have to fix it fast. by swillden · 2013-06-22 04:38 · Score: 1
  
  I feel funny defending Facebook, but unless they're blatantly violating their own published privacy policy, they don't sell personally-identifiable information to others. While it's possible they're intentionally violating their policy, I think that's unlikely.
  ...Says the dude on the internet that apparently didn't read the note above the "Allow" button when he signed up for Farmville.
  Actually, I never signed up for Farmville... and I don't even use Facebook any more :)
  But, yes, if you explicitly give them permission to share your info then they have your permission.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
7. Re:They have to fix it fast. by davester666 · 2013-06-22 06:47 · Score: 2
  
  Yes, they don't SELL pii to others.
  They only RENT it.
  
  --
  Sleep your way to a whiter smile...date a dentist!
What's a facebook? by I'm+New+Around+Here · 2013-06-22 01:36 · Score: 5, Funny

I don't act smug and superior when I tell people I don't have a Facebook page.
But I think I should start.

--
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
1. Re:What's a facebook? by l3v1 · 2013-06-22 01:42 · Score: 1
  
  You're not "smug and superior". You're full of ... reason.
  
  --
  I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
2. Re:What's a facebook? by Anonymous Coward · 2013-06-22 01:50 · Score: 1
  
  I don't act smug and superior when I tell people I don't have a Facebook page.
  But I think I should start.
  You say you don't act smug and superior, but it is very interesting how much people on Slashdot feel the need to brag about not using Facebook.
3. Re:What's a facebook? by hurwak-feg · 2013-06-22 01:56 · Score: 1
  
  I don't understand what acting smug and superior in saying you don't use Facebook will accomplish. I'm not saying it is a bad idea, I just want to know your reasoning before forming an opinion of your opinion.
4. Re:What's a facebook? by ebno-10db · 2013-06-22 02:01 · Score: 1
  
  You're not "smug and superior". You're full of ... reason.
  It's not an either/or situation - they make a great combo.
5. Re:What's a facebook? by Anonymous Coward · 2013-06-22 02:07 · Score: 1
  
  I used to use Facebook on perhaps a weekly basis. But, you soon find that the people who you typically "friend" - your family and people you know - just send around idiotic conspiracy theories, pass on bogus "tell all your friends about this" spam, lame ass religious notes, scans of old pictures from the 1970's, etc. Oh, and they sometimes yell at you for no good reason too. I'm glad I left and went to Google+ where you typically don't follow people you know IRL as much and, instead, engage with interesting people.
  
  I never closed my account. But my "private" information on FB shows that I live several states away from where I really do and they don't have my real phone number.
6. Re:What's a facebook? by Anonymous Coward · 2013-06-22 02:19 · Score: 1
  
  You're right, and I'm also tired of political correctness and respectful behavior at all costs. The crude truth is that those who don't use facebook are actually superior. Period.
  If a person tells the world real name, friends, photos, what he/she does at any moment of the day and many other personal details that not even a spy agency would have, he/she is simply a dumbass. OBJECTION: how is it possible that there more than 1 billion dumbasses in the world? Sorry, it IS possible. Not nice to say it, but it's the f*ckin' truth. We live in a world full of idiots.
7. Re:What's a facebook? by Known+Nutter · 2013-06-22 03:35 · Score: 1
  
  OBJECTION: how is it possible that there more than 1 billion dumbasses in the world? Sorry, it IS possible.
  
  This same set of fuckwits are also the ones complaining about the NSA shit. Now, the NSA by many accounts is up to some fucked up stuff, but for one to complain about being spied on while at the same time posting every boring detail of their life on facebook is the true mark of a mouth breather.
  
  --
  Beware of the Leopard.
8. Re:What's a facebook? by Rod+Beauvex · 2013-06-22 05:51 · Score: 1
  
  Don't worry. Facebook will make a page for you.
9. Re:What's a facebook? by MogNuts · 2013-06-22 13:02 · Score: 1
  
  Ha you should. I held out too all these years. Long story though, but I finally might be forced to use it. :(
  On that note, because I don't want to give facebook that data to begin with and have it act as malware and scrape all my email accounts and browsing history (even if I'm logged out), I was thinking of the following. Let me know what you think Slashdotters:
  1) Does running FB as a different user on the same machine (but obviously then running the same browser executable) preclude FB from getting the other user's data. Does (Windows in this case) it treat multiple users as truly different and private, in regards to the browser?
  2) Or should I simply use a different browser solely for FB which wouldn't let it get any data in my other browser?
  I ask because I simply refuse to let the ultimate in malware, aka Facebook, scrape all my browsing history, emails and content, contacts, etc. Also, don't forget, all shady 3rd party companies get your data too.
10. Re:What's a facebook? by Douglas+Goodall · 2013-06-23 05:54 · Score: 1
  
  I used facebook for a while. I had to unfriend my grand-daughter because her teen chatter offended me, and I didn't want her to offend my other "friends" as well. I started to feel a loss of control when I realized the bizarre things that can happen when you introduce al the people you have ever known to each other. But the real reason I detached from FB was that I started to see the connections growing between them and the rest of the world. Every time I turn around on the Internet, some piece of software is offering to log me into FB as a courtesy. Then I started noticing web sites where you couldn't participate if you were unwilling to provide your FB credentials. There are a lot of news sites like that. When you want to comment on an article, up comes that FB login dialog. In terms of growing risks, the more systems that are closely bound to FB, the bigger the disaster when something goes wrong.
11. Re:What's a facebook? by I'm+New+Around+Here · 2013-06-23 08:55 · Score: 1
  
  Then I started noticing web sites where you couldn't participate if you were unwilling to provide your FB credentials. There are a lot of news sites like that. When you want to comment on an article, up comes that FB login dialog.
  In terms of growing risks, the more systems that are closely bound to FB, the bigger the disaster when something goes wrong.
  Hello,
  Original poster here, just wondered about something, if you don't mind. What browser do you use online? I use Firefox, with a few add-ons installed. One of them is called NoScript, and it disables all the automatic links you mention on websites. You can choose to enable individual scripts, either permanently or just for that visit. You would be amazed at the number of scripts running on various websites.
  For example, I just opened another tab and visited a news story at NY Times to check. When I moved my mouse cursor over the NoScript icon up above, it listed 6 scripts (or links to other sites or domains) that were being blocked. These include nytimes.com, nyt.com, krcd.net, insightexpressai.net, googlesyndication.com, and typekit.com.
  I have now enabled the nytimes.com in that tab, which allows the page itself to load more items, with their own scripts/links included. There are now 4 more scripts listed, including one for Facebook. The others are for scorecardresearch.com, chartbeat.com, and revsci.net.
  If you don't use Firefox, I would recommend it, with NoScript and AdBlock as well. At the least, it will show how interlocked these sites are.
  
  --
  If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
Testing by hurwak-feg · 2013-06-22 01:41 · Score: 2

It would be interesting to see their test cases. This seems like their test cases weren't very well thought out. Or the more cynical view is testing takes time and money to pay people to do the testing. Its cheaper to just deploy the application.
1. Re:Testing by ebno-10db · 2013-06-22 02:04 · Score: 5, Insightful
  
  Test cases? We're talking about Facebook - the company that often tests software by just going live with it. Some people call this rapid development, but I call it sloppy garbage.
2. Re:Testing by binarylarry · 2013-06-22 02:11 · Score: 1
  
  They use PHP for fucks sake.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
3. Re:Testing by 140Mandak262Jamuna · 2013-06-22 03:09 · Score: 2
  
  You call it sloppy garbage. The all knowing market with its invisible hand thinks it is worth a few billion dollars.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
4. Re:Testing by Pieroxy · 2013-06-22 04:10 · Score: 1
  
  If you think you can keep something of the magnitude of facebook up 24/7 with no test cases you've not been in software development very long.
  
  --
  Write boring code, not shiny code!
5. Re:Testing by ebno-10db · 2013-06-22 04:14 · Score: 3, Insightful
  
  The all knowing market also brought us the tulip bulb bubble, and that invisible hand is reaching for your wallet.
6. Re:Testing by ebno-10db · 2013-06-22 04:28 · Score: 1
  
  FB is not up 24/7. It sometimes goes down for hours at a time (second hand info as I don't use it myself).
  Furthermore, and rather obviously if you understand that not every passing snark is meant to be completely literal, my point was that they don't do very thorough testing before going live. I have no idea why anyone would be impressed by most of FB's "technology". They're hardly so bleeding edge that they can be forgiven such flakiness as an inevitable part of new technology. As a contrasting example, financial networks have been around since the 1960's, and have kept getting more sophisticated. While not infallible, anybody who deployed code that lost $1B in transit would probably be shot rather than fired. It's FB's sort of flaky toys that makes many people think that software is an inherently unreliable scam.
7. Re:Testing by ebno-10db · 2013-06-22 04:29 · Score: 1
  
  Ebno's law: you can write bad code in any language, but some languages make it easier than others.
8. Re:Testing by ebno-10db · 2013-06-22 04:35 · Score: 1
  
  P.S. This comment below has some good insight.
9. Re:Testing by ebno-10db · 2013-06-22 07:44 · Score: 1
  
  Call it what you like, the creators are billionaires and still have their youth.
  By your logic I have no right to criticize the Deepwater Horizon catastrophe because BP is a big successful company.
its like vkontakte for imperialist westerners by decora · 2013-06-22 01:58 · Score: 1

also it kind of tends to break alot
faceboo cannot arrest, imprison, rape, kill by decora · 2013-06-22 01:59 · Score: 2

people, at least not that i know of.
people who cannot comprehend the difference between a priavte corporation, with your consent, sharing your information, and government agencies obtaining your email without warrant, are
1. uneducated
2. ignorant
3. i kind of worry about what their view on consent in other areas of life is, like sex.
1. Re:faceboo cannot arrest, imprison, rape, kill by Anonymous Coward · 2013-06-22 02:21 · Score: 1
  
  So, pretend Facebook sells your data to third parties and doesn't hand it all over to the government willy-nilly.
  Then, realize that Booz Allen is a third party.
  What does the NSA need your data for, when it can just hire a contractor who doesn't have fourth-amendment concerns?
2. Re:faceboo cannot arrest, imprison, rape, kill by guttentag · 2013-06-22 02:24 · Score: 1, Insightful
  
  people, at least not that i know of.
  people who cannot comprehend the difference between a priavte corporation, with your consent, sharing your information, and government agencies obtaining your email without warrant, are...
  Facebook use leads to Arrest
  5/26/13 In Britain, Police Arrest Twitter and Facebook Users If They Make Anti-Muslim Statements
  
  Facebook use leads to Imprisonment
  5/25/13 Jailed for Facebook Comments, Marine Sues
  
  Facebook use leads to Rape
  5/28/13 Facebook Rape Joke Prompts 15 Companies to Pull Ads
  
  Facebook use leads to Killing
  2/09/12 Facebook "Defriending" Led to Double Murder, Police Say
  
  It seems you're right in that there is a difference between Facebook and the NSA. The NSA's system has a far cleaner track record. If only the NSA would let us join their social network we'd live in a safer world.
3. Re:faceboo cannot arrest, imprison, rape, kill by aardvarkjoe · 2013-06-22 04:25 · Score: 1
  
  aardvark's law: In any group of people, the majority are idiots.
  Newsflash: stupid people use facebook. That doesn't make Facebook responsible for what they do.
  
  --
  
  How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
4. Re:faceboo cannot arrest, imprison, rape, kill by Doh! · 2013-06-22 08:26 · Score: 1
  
  If only the NSA would let us join their social network we'd live in a safer world.
  Good news! You can indeed join the NSA's social network. In fact you probably already have!
  The NSA's PRISM social network works on practically any platform, on any device, even old landline phones! It integrates seamlessly with your email, SMS, and phone experience. PRISM auto-populates your contact list so there's no need to manually find and add your friends. Their strict privacy policy is the best in the industry — your personal data will never be sold or given to third party organizations or individuals, even you! Only the NSA and their direct partners have access to your information. To join, just pick up your phone and call someone, anyone!
Most Appropriate Slashdot Mobile Ad Ever by guttentag · 2013-06-22 02:03 · Score: 1

The ad that came up on this slashdot page was:

How long will you live? The Cookie will tell you!
Subscription $10/Mt
At first I thought it was a sarcastic commentary about Facebook browser cookies having more information about you than they should, and having to pay to get the information out of them. Or perhaps the existence of Facebook cookies in your browser telling advertisers something about your intelligence, like users of IE versus Chrome. Then I noticed the fortune cookie drawing next to it. And I thought capchas were nearing sentience when they began to exhibit a sense of contextual humor.
The bug that exposes your info by FuzzNugget · 2013-06-22 02:08 · Score: 2

It's just called "Facebook"
Criminal Liability? by Secret+Agent+Man · 2013-06-22 02:11 · Score: 2

Is there any sort of punishment available for this? When a company hoards massive amounts of data, and it gets leaked, does anything happen other than "sorry, guess we goofed"?
This is one of the many reasons I don't like companies (or the government)sitting on so much data like this: If they have it, someone else will get it.
1. Re:Criminal Liability? by thegarbz · 2013-06-22 15:52 · Score: 1
  
  The problem with criminal liability for software bugs is that there wouldn't be any software if the risk of punishment was high. Making a perfectly bug free system is incredibly difficult, even more so if the bugs can be due to someone else's software (like MySQL or something similar, or the OS).
CODE SCHMODE by JeanInMontana · 2013-06-22 02:24 · Score: 2

Facebook code is rewritten every Tuesday. On Wednesday expect things to be FUBAR and forget weekends when use is even higher. Anyone with an account must accept the fact they are in no way safe, secure or private in anyway no matter how diligent one is in trying to keep up with the ever changing settings and reverts to default.

--
*Think globally~Dream universally*
Phone numbers..WTF? by Anonymous Coward · 2013-06-22 02:28 · Score: 1

What sort of moron give stheir phone no. to facebook?
where did FB get my phone # and birthday? by RavenManiac · 2013-06-22 02:47 · Score: 2

I didn't give it to them. Neither are mentioned in any posts.
I don't want to display that and wish to delete. Does Google+ do that? I suspect they can, but may not.
HA! by JoeCommodore · 2013-06-22 02:53 · Score: 1

I don't have nay friends! :-P

--
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Privacy? What privacy? by houghi · 2013-06-22 03:16 · Score: 1

If people really cared about their privacy, they would leave in droves. If people really cared about their privacy, people would lynch the NSA, TSA and other agencies raping their privacy. If people really cared they would see that ALL political people would have it high on their agenda and follow through on it.
Unfortunately, people do not care. They are willing giving up their privacy. They think it is nice to watch other peoples live on TV with 'reality shows' and they are willing to do almost anything for their 15 minutes of fame.

--
Don't fight for your country, if your country does not fight for you.
1. Re:Privacy? What privacy? by jones_supa · 2013-06-22 11:24 · Score: 1
  
  The trick it that the datamining and stuff happens behind the scenes, and thus people do not sense their privacy being compromised. When people get to choose what they upload to the site, and they can set in the preferences which users can see the material, they feel that they are in control well enough and feel protected enough to keep using the site. They never receive the report stating where their data was sent to (with unlimited access to it), what kind of complex advertising profiles were created based on it, and so on.
  And when we add to the equation the actual positive features of FB (hey, it's a damn powerful communication tool), it's a win for most.
Security kudos by AnotherAnonymousUser · 2013-06-22 03:24 · Score: 2

You have to admit, for all the Facebook bashing that happens, the fact that hacks, break-ins, and bugs of this nature are so uncommon, given that they're dynamically managing a userbase of a billion people, is an impressive task.

When break ins or bugs do occur, they happen in a very big and very bad way, as a single bug affects millions, and there's a lot of people I wouldn't want seeing my personal data. Most of us here seem to take the stance of locking down our Facebooks, keeping what's posted at a minimum, and generally keeping it at a distance with a ten foot pole, but there's admittedly very little respect for Facebook managing to be more or less secure from a technical standpoint. Now, their change deployment policy is god awful, but that's a different piece altogether...
1. Re:Security kudos by ebno-10db · 2013-06-22 04:44 · Score: 1
  
  You have to admit, for all the Facebook bashing that happens, the fact that hacks, break-ins, and bugs of this nature are so uncommon, given that they're dynamically managing a userbase of a billion people, is an impressive task.
  I have to admit no such thing. First, there are a billion accounts, not a billion users (many users have multiple accounts), and many accounts are largely dormant. FB loves to hype their numbers. Second, there are hundreds of millions of bank accounts in the world, many of them now accessible online. Financial networks have been around since the 60's and have gotten much more sophisticated. While not perfect, they're incredibly more reliable than FB, otherwise we'd all be keeping money in mattresses. People go "ooh, ahh" over FB not because their technology is impressive, but because it's a cool new thing from Silicon Valley. Best renamed Silly Valley to keep up with its trends, it's gone from selling amazing tech (e.g. the first IC's) to selling amazing hype.
2. Re:Security kudos by Pieroxy · 2013-06-22 06:47 · Score: 1
  
  Waitwhat? Do you think Facebook communicates on all break-ins and hacks that happens? That's assuming they discover them all which is pretty unlikely IMO.
  No, what we see in the news (such as today's news) is just the tip of the iceberg. How deep does the iceberg really goes, nobody will ever know. Look at Stuxnet!
  
  --
  Write boring code, not shiny code!
Funny how that works. by WOOFYGOOFY · 2013-06-22 05:32 · Score: 1

It's never advertiser's emails and contracts and deals that get exposed, although one can assume these things are held electronically and have a great deal of value to someone, certainly more value than the 0.25 -$1.00 lifetime value Average FB User's email is worth .
Not saying companies deliberately release their users emails so that when that information later figures as evidence in a crime / scam / scandal FB has plausible deniability.
get ev\eryone's email and personal info.
pretend to "lose" some .
???
profit.
In related news by gmuslera · 2013-06-22 07:02 · Score: 1

Facebook design exposed 1 billon users. And Facebook home country exposed 6 billon users. When you put things in perspective nothing really matters anymore.