Facebook on Wednesday came forward with several announcements meant to show the world how much it really care about its users and their privacy. The company revealed that as many as 87 million users may have been affected by the Cambridge Analytica privacy breach, and announced new measures meant to improve data security going forward.
Mark Zuckerberg also confirmed that all changes Facebook is about to make in Europe will be applied worldwide, after initially saying that Facebook will honor the guidelines “in spirit” in non-European markets.
Tucked away in one of its announcements, however, was a really annoying revelation. That malicious individuals may have been scraping the data of Facebook users without their knowledge. And nobody is safe.
Facebook’s chief technology officer penned a blog post titled An Update on Our Plans to Restrict Data Access on Facebook
, in which he explained the various things Facebook is doing to prevent apps from accessing certain user data.
Buried in the post was a startling revelation, that anybody with access to your phone number or email address may have used that knowledge to scrape public profile information.
It all starts benign enough, explaining why the “search and account recovery” feature is useful.
Search and Account Recovery: Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name. In Bangladesh, for example, this feature makes up 7% of all searches.
But then things quickly take a turn for the worst (emphasis ours):
However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.
Wait a second there, Facebook. What scale? What sophistication? This particular type of attack can’t have been discovered in the weeks since the Cambridge Analytica revelations. This must have been going on for quite a time, and it looks like Facebook chose to acknowledge it now, to get it out of the way. Was it the Russians? Is this type of profile scraping connected to any other hacks, say the Yahoo data breaches that compromised all of its accounts?
Sure, it may not sound that dangerous. What could have these malicious individuals used the profile data for? And it’s hardly a warning that all 2 billion accounts were compromised by the same attacker. But it still goes to show how lax Facebook has been with your data if something like this was possible, especially when hit by attackers capable of deploying sophisticated attacks at scale. That’s what’s alarming here. Also disturbing is the fact that Facebook doesn’t elaborate on these type of scraping attacks.
Zuckerberg confirmed it all in his chat with the media:
In terms of sophistication, this is stuff that I’ve already said on some of the other answers, so I’ll try to keep this short. We had basic protections in place to prevent rate-limiting, making sure that accounts couldn’t do a whole lot of searches. But we did see a number of folks who cycled through many thousands of IPs, hundreds of thousands of IP addresses to abade the rate-limiting system, and that wasn’t a problem we really had a solution to. So now, that’s partially why the answer we came to is to shut this down even though a lot of people are getting a lot of use out of it. That’s not something we necessarily want to have going on. In terms of the scale, I think the thing people should assume, given this is a feature that’s been available for a while and a lot of people use it in the right way, but we’ve also seen some scraping, I would assume if you had that setting turned on, that someone at some point has accessed your public information in this way.
He also elaborated on the kind of sophistication that was used to scrape data.
But I think what was also clear is that the methods of rate limiting this weren’t able to prevent malicious actors who cycled through hundreds of thousands of different IP address and did a relatively small number of queries for each one. Given that and what we know today, it just makes sense to shut that down.
