Skip to main content

Facebook Admits Exposing Over 6 Million Accounts

a security breach happened recently to around 6 million Facebook users as email addresses and telephone numbers were exposed due to a software bug.

the breach is found when users download their archives using "Download Your Information," the contact information - email address and phone numner - of up to 2nd-tier connections ("People you May Know") is included.  see what Facebook Security has to say;

-------
At Facebook, we take people’s privacy seriously, and we strive to protect people’s information to the very best of our ability. We implement many safeguards, hire the brightest engineers and train them to ensure we have only high-quality code behind the scenes of your Facebook experiences. We even have teams that focus exclusively on preventing and fixing privacy-related technical issues before they affect you.

Even with a strong team, no company can ensure 100% prevention of bugs, and in rare cases we don’t discover a problem until it has already affected a person’s account. This is one of the reasons we also have a White Hat program to collaborate with external security researchers and help us ensure that we maintain the highest security standards for our users.

We recently received a report to our White Hat program regarding a bug that may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them. 

Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook. 

Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool. 

After review and confirmation of the bug by our security team, we immediately disabled the DYI tool to fix the problem and were able to turn the tool back on the next day once we were satisfied that the problem had been fixed.

We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.

We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing. Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again. Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure.

We have already notified our regulators in the US, Canada and Europe, and we are in the process of notifying affected users via email.

We appreciate the security researcher's report to our White Hat program, and have paid out a bug bounty to thank him for his efforts.

Comments

Popular posts from this blog

the facebook breakup letter

dear facebook,

today marks our 10th year together, i must say it has been a sweet journey. unfortunately, time has come for me to walk away.

i had high hopes for us when we started, especially at the time when my heart still beat for… what was her name again? ahh friendster (may she rest in peace). but you were all smile and poised, a neatly uniformed college girl full of hopes and overflowing with excitement. you had me at one poke!

through you i bravely opened up my thoughts to the world. i was able to connect with old and new friends. you bridged time, the longitudes and the latitudes. i got found and new relatives were discovered. once a year you even make me famous sending out birthday reminders. with you, i was a kid in a playground, swiping up or down till the wee hours, unconditionally tagging anyone and gleefully enjoying your games.

know that i am glad to have witnessed you grow - your fun emojis, crazy virals, and live videos i will sorely miss. oh i always thought it’s cool…

Facebook's Mark Zuckerberg Faces Congress

Facebook CEO, Mark Zuckerberg faced the senate judiciary and commerce committees today, in light of the recent data breach impacting over 87 million of its users.  
on march-21 addressing the cambridge analytica situation, "We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there's more to do, and we need to step up and do it," mark posted. 

here's a background of events;

as early as 2007 facebook envisioned that apps should be "social" enabling people to log into apps and share who their friends were and some of their information (birthdays, where they live, photos).  in 2013, a cambridge university researcher named aleksandr kogan created a perso…

16 Ways to Watch NBA Finals (Live Stream)