Acorn Newsbot
Junior Member
- Joined
- Jan 28, 2006
- Posts
- 22,602
- Reaction score
- 126
The world’s largest social network, Facebook, has been rushing to calm its 1.1 billion users after reports that private data has been publicly exposed, bypassing users’ personal preferences. Facebook’s security team estimate that the “bug” may have left over 6 million user accounts open for almost anyone to access.
What happened?
According to the details of the Facebook Security Advisory article, although personal details may have been exposed, the process of obtaining it was convoluted. To get hold of the unsecured information, a cybercriminal needed to:
•*Upload their contact list or address book to Facebook.
•*Generate a number of invitations for their “friends”.
•*Use the Download Your Information (DYI) tool to obtain a copy of all the data stored in their own Facebook account.
The personal data was exposed within the downloaded data and came about as a result of the way that Facebook analyses the contacts in an uploaded address book. The Facebook system compares uploaded data to match existing account holders in its system. It then stores this information in your online address book along with other contact data, such as telephone numbers, which was not shared publicly.
This additional data remained protected and invisible until the DYI tool was used to download information from Facebook. At this point, private information attached to contact records should have been stripped out, but instead it was left in for the downloader to read and potentially abuse.
Facebook was keen to stress that the only data exposed by this flaw was email addresses and telephone numbers. Users can therefore rest easy that more sensitive data, such as any financial details or home addresses, has not been uncovered or accessed by cybercriminals looking to exploit this bug.
Facebook has also claimed that there have been no reports of malicious activity from its vast user base, nor any complaints. It has also been unable to identify any “anomalous behaviour” that would suggest information is being misused in any way.
How did this happen?
Even though Facebook employs hundreds of software developers and security engineers, creating software remains extremely complex. Any new update to the Facebook platform undergoes rigorous testing designed to identify bugs and flaws, most of which are fixed before being released to the public.
But occasionally these bugs do pass through the testing process unidentified, which appears to have* been the case in this latest breach at Facebook. Software flaws are a regular occurrence, as can be seen by how often Apple and Microsoft release updates for their operating systems. What makes the Facebook breach noteworthy is the exposure of 6 million users’ data.
Has this happened before?
This latest breach is very similar to an issue reported back in October 2012 by a “security enthusiast”, who discovered that he could view almost anyone’s Facebook profile simply by guessing their phone number. In this instance, much of the problem was caused by improperly applied security settings on users’ Facebook pages, which exposed them to random searches via the Facebook mobile app. Within four days, the individual claimed that they had managed to harvest thousands of contact details to prove the fault to Facebook.
Facebook was embroiled in another data privacy row in 2010 when it was forced to admit an ‘inadvertent’ privacy breach. Several popular Facebook apps were discovered to be secretly sharing user information with internet tracking organisations and advertisers. Apps such as FarmVille and Mafia Wars transmitted user identities in direct contravention of Facebook’s own data-sharing rules. Luckily, as with the latest breach, the data available was limited and unlikely to cause any long-term problems.
In every instance, Facebook has worked hard to resolve issues as quickly as possible to restore the confidence of its 1.1 billion users and shareholders alike.
What will happen now?
Facebook claims that as soon as the bug came to light it immediately disabled access to the DYI tool to prevent further downloads. The DYI tool remains unavailable whilst the bug is patched to prevent any further data breaches. The tool will not be reinstated until Facebook is confident that all restricted information is removed properly before data can be downloaded.
Facebook has also begun emailing the 6 million users it has identified who may have had their private contact details compromised. The specific contents of the message are unknown, but it is likely to take the form of a personal apology along with a detailed explanation of what went wrong and how Facebook intends to prevent future occurrences.
Facebook is also duty bound to report breaches involving personal data to the Information Commissioner, under the Data Protection Act of 1998. This loss of personal data could see Facebook landed with a significant fine depending on the Information Commissioner’s recommendation. And because the data breach has affected users globally, Facebook has had to make similar reports to the authorities in the US, Canada and other European states.
How might this breach affect me?
For many people, the most disturbing aspect of this breach is that the data uploaded by other Facebook users may have been included in the DYI downloads. Even if your account has no telephone number attached, another Facebook user may have included it in their own address book uploads. Facebook would then have associated this information with your account “behind the scenes”, exposing it only as a result of this bug.
The exposed data is unlikely to cause major problems for users, as email addresses and telephone numbers are insufficient for use in identity theft, for instance. In theory, people could end up receiving more spam emails or nuisance texts should their addresses and phone numbers be sold on to scammers.
The worst case scenario would be if contact details fall into the hands of someone with a specific grudge. This could be a troll, a stalker or simply an ex-partner with whom you want no further contact. Fortunately, the percentage of users potentially affected in this way will be minimal.
Are you affected?
The easiest way to find out if you are one of the 6 million people affected by the privacy bug is to wait and see if you receive an email from Facebook. If you do, your data may have been accessed by someone without your permission. If you don’t, your data remains private and protected.
Whilst you wait for the email to arrive from Facebook, keep an eye on your mailbox and Facebook timeline to see if you spot anything out of the ordinary. If you notice a sudden increase in spam or phishing type emails, for instance, there may be a problem. Similarly, a surge in calls and texts regarding reclaiming PPI or personal injury claims is an indication that your contact details may have been shared.
Finally, if you begin receiving unwanted communications from someone like an ex, you may have been a victim of the data leak.
However, email confirmation from Facebook remains the only definitive way to verify whether you really are a victim or not. All other factors mentioned above could be purely coincidental, or the result of data being shared somewhere else.
What can you do?
If you notice changes to your Facebook account, or an increase in spam and nuisance phone calls, you must report the issue to Facebook. Facebook maintains a useful list of tutorials for reporting problems with your account, designed to make the process as easy as possible. Facebook will then investigate your concerns and take action where appropriate. You should also change your account password as soon as possible.
If your information has been compromised as a result of this bug and you feel that Facebook has not properly put things right, you can also make an official complaint to the Information Commissioner yourself. The Information Commissioner’s Office (ICO) has a complaint form that you can complete and return to escalate your complaint. For further advice about your data loss, or for help completing the complaint form, you can call the ICO helpline on 03030 123 1113.
If your contact details are being used maliciously to harass you, or to make threats of any kind, you should report the issue to the Police immediately. Most of the time, threats and trolling can be reported to the Police using the non-emergency telephone number, 101. Many Police forces now operate online reporting of crimes; you can find the correct contact details on your local constabulary’s website (use this search tool to find the correct site). Alternatively, where you believe that you are in immediate danger, Police advise calling 999.
Unfortunately, with regard to the information that has already been leaked as a result of this bug, there is not much that can be done other than changing telephone number and email address. Obviously, this is an avenue of last resort, which should only be pursued once you have verified that your Facebook account data has been compromised and that it has been misused.
Facebook continues to work hard improving user security and to prevent similar breaches in future. And although 6 million is a large number, it represents just 0.54% of the global Facebook user base. This guide should help if you are one of the unlucky few affected.
More...