Domain Manage

Facebook Data Breach – Worse Than First Reported?

Discussion in 'Domain Name News' started by Acorn Newsbot, Jul 2, 2013.

Thread Status:
Not open for further replies.
  1. Acorn Newsbot

    Acorn Newsbot Junior Member

    Jan 2006
    Likes Received:

    Last week, Facebook revealed details of a data breach that they claimed affected up to 6 million registered users of the social network. Independent security experts looking into the issue believe that these initial admissions may have been understated.

    As promised, the social networking giant has been emailing the 6 million users identified as having been impacted by the breach, to let them know personally what has happened.

    The email gives brief details of how Facebook users uploaded address books containing private information to match contacts and generate friend recommendations.* Although this personal data remains hidden on the Facebook site, it was exposed erroneously through the Download Your Information tool, making it available to unauthorised third parties.

    The explanatory email then goes on to give the user specific details of the personal information that was leaked, and estimates of how many people may have seen it. In general, the only private data exposed was telephone numbers and secondary email addresses.

    The problem goes deeper
    Since Facebook acknowledged the breach, other security companies have looked into the issue and believe that the problem may actually be far more damaging than initially claimed. Tests run by Packet Storm Security (PSS) have found that Facebook was understating the amount of information exposed in the emails sent to users.

    According to their research, PSS believes that many users may have had more of their data distributed than they are told. One Facebook user was told that three items of their personal data had been leaked, but tests revealed that the person involved had actually lost seven – four more than they were told about. Because Facebook has not revealed what these additional items are, many users are rightly worried about the potential implications.

    Facebook has also confirmed that the Download Your Information security loophole had been exposing private data for more than a year before this announcement.

    And deeper…
    Security experts then discovered that the Download Your Information data bug has exposed personal data belonging to people who do not use Facebook. When people have uploaded their address books for analysis, all of their non-Facebook using friends have been included. Facebook has then stored this information, ready for matching should those people join the social network at some point in the future.

    As discussed previously, Facebook creates two profiles for every user. A public profile, with publicly accessible data, and a “shadow” profile, which stores everything else. Any contact details that do not match an existing Facebook user profile are stored in a separate shadow profile for later use. But this was also available via the Download Your Information tool.

    Facebook has now confirmed that the information of non-users has been leaked, but that they will not be contacted. As such, these people may never know that their information has been shared without their permission. Most are probably unaware that Facebook was even storing their personal details.

    What does this mean?
    Facebook is rightly proud of its 1 billion users, and the online communities that have been built using their social network. However, this latest data breach should encourage everyone, Facebook user or not, to think carefully about how their data may be treated.

    Few people would have expected that uploading their address book could cause so many problems, but fewer still would have paused to think about the fact that everything uploaded was being stored permanently. And almost no one would have considered what happened to the details of people who don’t use Facebook.

    Address book sharing is built into Facebook’s website and mobile apps, making the function very easy to access and use. By simply clicking a button, data is sent to Facebook for analysis. And it is this ease of use that has led many people to upload data without considering any potential consequences.

    Businesses in the UK are duty bound to protect personal information, and are prevented from sharing it without the express permission of the individual involved, mainly to avoid problems like this. As responsible internet users, there is good reason for private individuals to take a similar approach and to think carefully before sharing any data that may belong to others.

    What can I do?
    Because Facebook is only informing affected users, other people who have had their data leaked may never know. Short of contacting all your own friends and family and asking if they have received an advisory email from Facebook, there is almost nothing you can do to find out whether your information has been leaked.

    As a private organisation, Facebook is exempt from the Freedom of Information Act 2000, which allows people to make requests from public bodies about the personal data they store. You could contact Facebook to ask for details of the information they hold on you, but they are not legally obliged to answer.

    If you are particularly concerned about personal data being held by Facebook without your permission, you can ask to have your email address removed from their database. Non-users can complete this form to register such a request.

    Facebook makes it clear in its documentation that although your information may be deleted, each time another registered user sends a sign-up request to you or uploads their address book, your details will be re-added. In effect, if your personal data has been shared with Facebook-using friends, family or acquaintances, there is little you can do to prevent it ending up online. However, you can continue to make deletion requests on a regular basis just in case.

    This latest Facebook leak provides all web users with an opportunity to assess their attitudes to personal data, both their own and that of their friends. The Facebook Download Your Information tool may have made the exposure possible, but the personal data was first supplied willingly by Facebook’s users. And it is the users who must decide whether or not to share their data – and other people’s data – in future.

  2. Domain Forum

    Acorn Domains Elite Member

    Likes Received:
Thread Status:
Not open for further replies.

Share This Page