Facebook has not yet explained the specific technical mechanism that enabled its creation. The feature is set to “Everyone” by default.Īnd then there's the now public 2019 user data trove. Go to “Settings & Privacy,” “Settings,” “Privacy,” and scroll to “How People Find and Contact You” to find the “Who can look me up” email address and phone number controls. The options were “Everyone,” “Friends of friends,” and “Friends.” In May 2019 the company added an “Only me” option. Even if your phone number is set to “Only me" on your profile, it could still be set to “Everyone” under “Who can look me up.” In that case, if someone guessed your phone number they would be able to link it to your other public Facebook information.Īt the time of De Ceukelaire's research, Facebook didn't even offer an “Only me” option within the “Who can look me up” control. De Ceukelaire further flagged that users might not understand that the privacy controls they set for information on their Facebook profile could be undermined by another Facebook privacy setting known as “Who can look me up.”įacebook lets you set your phone number and email address as visible to “Only me.” But it also has an entirely separate setting, called “Who can look me up,” that dictates whether someone can find you on Facebook using your phone number or email address through the contact import tool. Facebook told De Ceukelaire at the time that it might revise its rate limits-the maximum numbers of submissions one can make-for the contact import feature, but that it did not view the issue as a vulnerability. First, attackers might well look for more powerful and efficient ways of abusing the contact import feature through phone number enumeration attacks. The researcher had raised two crucial points, though. “I think they are probably very mindful of the fact that they could be facing significant liability.”Īshkan Soltani, former FTC chief technologist “But it’s a recurring theme for Facebook that whenever growth is at stake, they will think twice about fixing something to benefit the user’s privacy.” It's not just Facebook," says Inti De Ceukelaire, a Belgian security researcher who reported a vulnerability in Facebook's contact import feature to the company in 2017. “I'm sure other companies are sweating as well now. But Facebook's contact import tool in particular has had a number of known problems, and supposed fixes, over the years. Many social networks and communication apps offer some version of this as a sort of social lubricant.
But now researchers are saying Facebook knew about similar vulnerabilities for years before that, and it could have made a far greater effort to prevent the mass scraping in the first place.Īt issue is Facebook's “content importer,” a feature that combs a user's address book to find people they know who also use Facebook.
It took days for Facebook to finally acknowledge the root cause, an issue the company says it fixed in 2019. Troy Hunt, the creator of the Have I Been Pwned database, said on Saturday that “I haven’t seen anything yet to suggest this breach isn’t legit.” In the data, he found only about 2.5 million unique email addresses (which is still a lot!), but apparently, “the greatest impact here is the phone numbers.The profile names, email addresses, and phone numbers of over 500 million Facebook users have been circulating publicly online for nearly a week.
“We found and fixed this issue in August 2019.” Facebook has not replied to a request for comment from The Verge. “This is old data that was previously reported on in 2019,” Facebook told BleepingComputer. The company gave a similar answer to Motherboard in January.
Phone number, Facebook ID, Full name, Location, Past Location, Birthdate, (Sometimes) Email Address, Account Creation Date, Relationship Status, Bio.īad actors will certainly use the information for social engineering, scamming, hacking and marketing.- Alon Gal (Under the Breach) April 3, 2021įacebook told Insider that this data was scraped because of a vulnerability that it fixed in 2019.