Facebook : We were hacked
Company says few users would have escaped breach in which ‘dark web’ data was fed into search tool
Facebook says “malicious actors” took advantage of search tools on its platform, making it possible for them to discover the identities and collect information on most of its 2 billion users worldwide.
The revelation came yesterday amid rising acknowledgment by Facebook about its struggles to control the data it gathers on users. Among the announcements yesterday was that Cambridge Analytica, a political consultancy hired by thenUnited States presidential candidate Donald Trump and other Republicans, had improperly gathered detailed Facebook information on 87 million people, of whom 71 million were Americans.
But the abuse of Facebook’s search tools — now disabled — happened far more broadly and over the course of several years, with few Facebook users likely escaping the scam, company officials acknowledged.
The scam started when hackers harvested email addresses and phone numbers on the “dark web”, where criminals post information stolen in data breaches over the years. Then the hackers used automated computer programs to feed the numbers and addresses into Facebook’s “search” box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and home towns.
“We built this feature, and it’s very useful. There were a lot of people using it up until we shut it down today,” chief executive Mark Zuckerberg said in a call with reporters yesterday.
Facebook said in a blog post: “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped.”
Facebook users could have blocked this search function, which was turned on by default, by tweaking their settings to restrict the finding of their identities by phone numbers or email addresses. But research has consistently shown that users of online platforms rarely adjust default privacy settings and often fail to understand what information they are sharing.
Hackers also abused Facebook’s account recovery function, by pretending to be legitimate users who had forgotten account details. Facebook’s recovery system served up names, profile pictures and links to the public profiles themselves. This tool could also be blocked in privacy settings. Names, phone numbers, email addresses and other personal information amount to critical starter kits for identity theft and other malicious online activity, experts on internet crime say. The Facebook hacks allowed bad actors to tie raw Edward Markey data to people’s real identities and build fuller profiles of them.
Privacy experts had issued warnings that the phone number and email address lookup tool left Facebook users’ data exposed.
Facebook did not disclose who the malicious actors are, how the data might have been used or exactly how many people were affected.
The revelations about the privacy mishaps come at a perilous time for Facebook, which since last month has wrestled with the fallout of how the data of tens of millions of Americans ended up in the hands of Cambridge Analytica. Those reports have spurred investigations in the US and Europe and sent the company’s stock price tumbling.
The news quickly reverberated on Capitol Hill, where lawmakers are set to grill Zuckerberg at hearings next week.
“The more we learn, the clearer it is that this was an avalanche of privacy violations that strike at the core of one of our most precious American values — the right to privacy,” said Democratic Senator Edward Markey, who serves on the Senate Commerce Committee, which has called on Zuckerberg to testify at a hearing next week.
Perhaps the most urgent question for Facebook is whether its practices ran afoul of a settlement it brokered with the Federal Trade Commission in 2011 in response to previous controversies over its handling of user data.
At the time, the FTC faulted Facebook as misrepresenting the privacy protections it afforded its users and required the company to maintain a comprehensive privacy policy and ask permission before sharing user data in new ways. Violating the terms could result in many millions of dollars of fines.
The FTC said last week that it would open a new investigation in light of the Cambridge Analytica news, and yesterday’s revelations are likely to complicate the legal situation, said David Vladeck, a former FTC director of consumer protection who oversaw the 2011 consent decree.
“This is a company that is, in my view, likely grossly out of compliance with the FTC consent decree,” said Vladeck, now a law professor at Georgetown University. “I don’t think that after these revelations they have any defence at all.” He called the numbers “just staggering”.
The data that Cambridge Analytica obtained relied on different techniques and was more detailed and extensive than what the hackers collected using Facebook’s search functions.
The Cambridge Analytica data set included user names, home towns, work and educational histories, religious affiliations, and Facebook “likes” of users.
Other users affected were in countries including the Philippines, Indonesia, Britain, Canada and Mexico.
Facebook said it banned Cambridge Analytica last month because the data firm improperly obtained profile information.