Facebook Says Most User Accounts Accessible to Profile Scrapers

NEWS ANALYSIS: Facebook has admitted that third parties could have used an account “search and recovery” tool to scrape personal data from most of the company’s 2.2 billion user accounts.

Facebook Breach Scale Increases

The latest admissions by Facebook executives indicate that the personal information of virtually all of its 2.2 billion users could have been accessed by unauthorized third parties. 

In a posting by Facebook CTO Mike Schroepfer, the social network admitted that many third parties besides Cambridge Analytica had access to user personal data. Facebook increased its estimate of the number of user profiles Cambridge Analytica accessed from 50 million to 87 million. 

The new numbers were reported in Facebook’s updates on changes to its system designed to make it easier for members to protect their data. But Facebook’s latest admission indicates that the Cambridge Analytica breached barely scratched the surface of user data exposures. 

Schroepfer said that the main security weakness was in a function called Search and Account Recovery, which, among other things, allowed searches using information other than a person’s name. 

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them,” he said. The feature was especially useful in looking up users who had names that were in something other than English. 

“In Bangladesh, for example, this feature makes up 7 percent of all searches,” Schroepfer explained. “However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.” 

Schroepfer said that Account Recovery has a similar vulnerability and that Facebook will be making changes to reduce the risk of account scraping. 

Members will also be provided with information on whether their data was breached by Cambridge Analytica. This is part of the effort by Facebook to give users greater control over the Apps they’ve used in the past. Schroepfer provided a graph breaking down the number of people from each country that had their information taken, showing that more than 80 percent were from the U.S. 

Schroepfer also provided a list of APIs and other functions that Facebook was changing to give users more control over their data. A significant change is the use of the Facebook login so that all apps that use the login will need Facebook’s approval in a tighter review process than was used in the past. 

Facebook will also place limits on what apps can request in terms of information on religion, politics or relationships. Those limits include information on music and video habits, news reading and games. 

Paired with Schroepfer’s announcement, Erin Egan, Facebook vice president and Chief Privacy Officer, posted a series of proposed updates to the company’s terms of service and its data policy designed to make things clearer and easier for users to understand.  

Egan stressed that Facebook is not proposing to add new ways to use member data.

Facebook is asking for member input over the course of the next week before the changes take effect. 

The report by Egan is the promised new level of transparency. Facebook is also providing added information on how the features of the platform work and what information is collected about each user, including the devices they use to access Facebook. 

The transparency effort also included a report on accounts used by Russia’s Internet Research Agency. In the report, Alex Stamos, Facebook’s Chief Security Officer disclosed the number of IRA accounts that existed and how many people follow them. Stamos said that Facebook has removed some 70 IRA Facebook accounts, 138 Facebook pages and 65 Instagram accounts. In the process, the IRA was kicked off of Facebook. 

“The IRA has repeatedly used complex networks of inauthentic accounts to deceive and manipulate people who use Facebook, including before, during and after the 2016 US presidential elections,” Stamos explained. “It’s why we don’t want them on Facebook. We removed this latest set of Pages and accounts solely because they were controlled by the IRA—not based on the content.” 

Stamos said that he expects the Russians to attempt to find new ways to abuse Facebook. “We know that the IRA—and other bad actors seeking to abuse Facebook—are always changing their tactics to hide from our security team,” Stamos said. “We expect we will find more, and if we do we will take them down too.” 

With all of these actions Facebook is promising that it will try to fix things by helping users get better control over their data and that it will try to keep Russian IRA operatives from setting up disinformation campaigns on Facebook. What Facebook has not done, at least so far, is change the way the company itself uses its members’ personal information. 

While Facebook has restricted access to that information by third parties, the social network still has its own access. Considering that those third parties did little to pay for the data they took, Facebook has in effect made its own access to the data more valuable. 

Meanwhile, by becoming more transparent, Facebook will attempt to reduce much of the negative publicity that is currently swirling around the business. It is trying to fortify itself against criticism of its future activities because now nobody can say they didn’t have the opportunity to see what happened to their information. 

But now that Facebook has finally made these admissions about how easy it was for third parties, whether marketing researchers, cyber-criminals, or foreign propagandists, it raises the question of why the social media company didn’t do a better job right from the start of protecting its greatest asset—users’ personal data—from unrestricted exploitation. 

Undoubtedly Facebook is going to face serious repercussions from legal authorities and regulators in the United States and abroad about the total lack of protection for user data. These repercussions could include lawsuits, fines and new even more regulations that could reduce Facebooks revenue and restrict its future growth.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...