Facebook’s Malicious Actors

What the Fbook

colin-james-web-website-security-wordpress
Photo credit: bobsfever via Foter.com / CC BY-ND

Facebook’s acknowledgment that most of its 2.2 billion members have probably had their personal data scraped by “malicious actors” is the latest example of the social network’s failure to protect its users’ data.

Facebook dropped the bombshell on its users by way of admitting that every one of its 2.2 billion members needs to assume malicious third-party scrapers have compromised their public profile statistics.

Facebook CEO Mark Zuckerberg found out that “malicious actors” took advantage of “search” equipment on its platform to discover the identities and acquire statistics on maximum of its 2 billion international customers.

The revelation all over again underlines the failure of Facebook to defend customers’ privacy whilst at the same time producing billion$ in sales.

Cambridge Analytica

The revelation got here weeks after the disclosure of the Cambridge Analytica scandal, in which personal records of 77 million users become improperly gathered and misused by the political consultancy company, who reportedly also helped Donald Trump win the US presidential election in 2016.

However, the cutting-edge rip-off revealed by FB and the abuse of its search functions over a number of years and affecting nearly all of its 2.2 billion customers, making it the worst 12 months for the sector’s largest social network.

FB’s CEO Zuckerberg  said:

“It is clear now that we didn’t do enough, we didn’t focus enough on preventing abuse…. We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake.”

The company said it had disabled the feature—which allowed anyone who wanted to, to look up users by entering phone numbers or e-mail addresses into FB’s search tool—in its site’s search function tool that enabled malicious actors to scrape public profiles.

Did cybercriminals take advantage of Facebooks lax security?

The source of this scam, FB’s search feature which was turned on by default. Hackers used “The Dark Web,” in which criminals post personal information of customers stolen information, (personal details including credit cards) via data breaches and hacks from over the years.

Once they had possession of e-mail addresses and phone numbers, the hackers then used automated software to feed them into FB’s “search” box.

This scan allowed them to find out the full names of the Facebook member associated with the email addresses or phone numbers, along with their public profile information, which frequently includes names, profile photos, and hometown.

This accumulated statistics was then much more likely to be utilised by cybercriminals to target specific individuals using social engineering or other cyber assaults.

Facebook Chief Technology Officer Mike Schroepfer said in a blogged describing changes the company has made to its service to protect its users’ data better.

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name,”

“However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.”

While apologising a “second time” to FB users, Zuckerberg said this feature has immediately been turned off, noting that the scraped profile information was only limited to what was publically viewable.

Zuckerberg defended gathering users’ data for a business model, arguing:

“People tell us that if they’re going to see ads, they want the ads to be good.” (So thoughtful)
“On the one hand, people want relevant experiences, and on the other hand there is some discomfort about how data is used,”
“I think the overwhelming feedback is for wanting a good experience.”

Additionally, it was first reported that Cambridge Analytica quiz app amassed data on some 50 million Facebook customers, however, FB has now revised that number upward to over 77 million.

In an effort to protect its users private data, Facebook is now restricting third-party apps from accessing users’ information about their relationship status, religious or political views, work history, education, habits, interest, video watching, and games—basically almost all the information data brokers and businesses collect to build profiles of their customers’ tastes.

To protect its customers, FB is now limiting third-party apps from gaining access to users’ personal details like: religion, politics, work history, schooling,  hobby, video watching, and games—essentially almost all the information data brokers and businesses collect to build profiles of their customers’ tastes.

The company has announced they will on Monday inform users who were affected by the Cambridge Analytica data leak.

With the EU’s General Data Protection Regulation (GDPR) (see previous blog post here) coming into force on May 25th, 2018, Facebook may escape lightly as organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million under the new GDPR.

UPDATE 9/4/18

Facebook members can discover whether they are among the 87 million potential users whose data was shared with Cambridge Analytica.

Every account holder is being sent one of two notices informing them whether their data was breached.

Facebook said:

people will also be shown what apps they use and what data those apps may have gathered.

Facebook has additionally suspended a data analytics firm called Cubeyou, ahead of an investigation.

Facebook will look into into whether Cubeyou collected data for academic purposes and then used it commercially, following a partnership with Cambridge University in the UK.

 

Facebook
Twitter