Facebook admits that worldwide assault by hackers hit millions more users
UNITED STATES: Facebook says ‘‘malicious actors’’ took advantage of search tools on its platform, making it possible for them to discover the identities and collect information on most of its 2 billion users worldwide.
The revelation yesterday came amid rising acknowledgment by Facebook about its struggles to control the data it gathers on users. Among the announcements was that Cambridge Analytica, a political consultancy hired by then-presidential candidate Donald Trump and other Republicans, had improperly gathered detailed Facebook information on 87 million people, of whom 71 million were Americans.
But the abuse of Facebook’s search tools – now disabled – happened far more broadly and over the course of several years, with few Facebook users likely to have escaped, company officials acknowledged.
The scam started when hackers harvested email addresses and phone numbers on the ‘‘dark web’’, where criminals post information stolen in data breaches over the years. The hackers then used automated computer programs to feed the numbers and addresses into Facebook’s ‘‘search’’ box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and home towns.
‘‘We built this feature, and it’s very useful. There were a lot of people using it up until we shut it down today,’’ chief executive Mark Zuckerberg said yesterday.
Facebook said in a blog post: ‘‘Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped.’’
Facebook users could have blocked the search function, which was turned on by default, by tweaking their settings to restrict the finding of their identities via phone numbers or email addresses. But research has consistently shown that users of online platforms rarely adjust default privacy settings, and often fail to understand what information they are sharing.
Hackers also abused Facebook’s account recovery function, by pretending to be legitimate users who had forgotten account details. The recovery system served up names, profile pictures and links to the public profiles themselves. This tool could also be blocked in privacy settings.
Names, phone numbers, email addresses and other personal information amount to critical starter kits for identity theft and other malicious online activity, experts on internet crime say. The Facebook hacks allowed ‘‘bad actors’’ to tie raw data to people’s real identities and build fuller profiles of them.
Privacy experts had issued warnings that the phone number and email address lookup tool left Facebook users’ data exposed.
Facebook did not disclose who the malicious actors are, how the data might have been used, or exactly how many people were affected.
The revelations about the privacy mishaps come at a perilous time for Facebook, which since last month has wrestled with the fallout from how the data of tens of millions of Americans ended up in the hands of Cambridge Analytica. Those reports have spurred investigations in the US and Europe and sent the company’s stock price tumbling.
The news quickly reverberated on Capitol Hill, where lawmakers are set to grill Zuckerberg at hearings next week.
‘‘The more we learn, the clearer it is that this was an avalanche of privacy violations that strike at the core of one of our most precious American values – the right to privacy,’’ said Democrat Senator Edward Markey, who serves on the Senate commerce committee, which has called on Zuckerberg to testify at a hearing next week.
Perhaps the most urgent question for Facebook is whether its practices ran afoul of a settlement it brokered with the US Federal Trade Commission (FTC) in 2011 in response to previous contro- versies over its handling of user data. At the time, the FTC faulted Facebook as misrepresenting the privacy protections it afforded its users, and required the company to maintain a comprehensive privacy policy and ask permission before sharing user data in new ways. Violating the terms could result in many millions of dollars in fines.
The FTC said last week that it would open a new investigation in light of the Cambridge Analytica news. Yesterday’s revelations were likely to complicate the legal situation, said David Vladeck, a former FTC director of consumer protection who oversaw the 2011 consent decree.
‘‘This is a company that is, in my view, likely grossly out of compliance with the FTC consent decree,’’ said Vladeck, now a law professor at Georgetown University. ‘‘I don’t think that after these revelations they have any defence at all.’’ He called the numbers ‘‘just staggering’’. – Washington Post