Facebook Confirms Data Breach

another random user writes "A researcher by the name of Suriya Prakash has claimed that the majority of phone numbers on Facebook are not safe. It's not clear where he got his numbers from (he says 98 percent, while another time he says 500 million out of Facebook's 600 million mobile users), but his demonstration certainly showed he could collect countless phone numbers and their corresponding Facebook names with very little effort. Facebook has confirmed that it limited Prakash's activity but it's unclear how long it took to do so. Prakash disagrees with when Facebook says his activity was curtailed." Update: 10/11 17:47 GMT by T : Fred Wolens of Facebook says this isn't an exploit at all, writing "The ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page. Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked." Update: 10/11 20:25 GMT by T : Suriya Prakash writes with one more note: "Yes, it is a feature of FB and not a bug.but FB never managed to block me; the vul was in m.facebook.com. Read my original post. Many other security researchers also confirmed the existence of this bug; FB did not fix it until all the media coverage." Some of the issue is no doubt semantic; if you have a Facebook account that shows your number, though, you can decide how much you care about the degree to which the data is visible or findable.

Need a Survey / Cognitive Risk

[retroworks]

It would be really interesting, as a kind of control group, to ask a statistically represented sample of people how alarmed they are, on the basis of 1-10, about the following: 1) Their name is in the phone book, 2) The government has their Social Security Number, 3) Their face is recognizable by the bank ATM camera, 4) their neighbor has a X% chance of receiving their mail in the wrong mailbox. Throw in the word "breach" and watch the fur fly.

One teensy weensy difference...

[Viol8]

Phonebooks were generally only easily available in the area you lived in and not accessable by Vlad in Minsk who wants to collect as much data as he can on you to impersonate you to a bank. Not only that , but once data is on a computer a lot of things can be automated. When its in barely readable type in a large book its a bit more effort.

Anecdote Time!

[eldavojohn]

Remember phone books? It used to be possible to match people with not only their phone number but their home address too.

Ah, yes! And let me tell you a story about that! I used to have a very common name. So common that according to the latest census there are 40,000 of me walking around the United States (first and last name). I have met myself (first, middle and last) four times and the second time I met myself I was 19 and he was 20 and he said to me: "Don't you ever let your name be published in the phone book" (as advice from one being raised in a major metropolis and I being raised in a very small town) and then went on to describe at length how, when he turned 18, he started receiving odd phone calls from credit card companies demanding he pay up tens of thousands of debt. After months of harassment, he finally got it all straightened out with one of the credit bureaus who then basically had to show the credit card companies that his records and the records of the real person they were looking for were completely different. The other odd thing was that the address the credit card companies had on file had the same exact abbreviations as his address in the phone book and the person had "moved" to that address right when my friend turned 18 and had his name put in the phone book.

Is it a common problem? Maybe not ... but I'd just as well keep as much of my life private as possible ... to avoid whatever creative scofflaw there might be out there.

Re:Phonebook

[Crayon Kid]

You probably don't remember this, but when you first started using the Facebook application on your phone you had to confirm your phone number. You probably got a text with a code you had to enter or something like that.

You can remove the number, as you noticed, but I'd be really skeptical whether they actually remove it. I suspect they don't, since it's a great way of tracking people across multiple accounts. As you experienced yourself, people often forget that they made Facebook aware of their personal phone number at some point in time.

Consider for example the case of someone who becomes more privacy-aware, closes their initial FB account then later opens another when where he is more guarded about who he friends and what he publishes. And he thinks he's leaving less of an online footprint... when in reality I bet FB is tying it all in with his previous account.

Confirmed: works for private numbers

[Anonymous Coward]

I verified that my mobile number is set to be visible to myself only. I then used a fake facebook account that I keep around, and searched for my phone number. Sure enough, my account showed up. If I try to remove it, I'm informed that I will no longer be able to use that phone to do anything with Facebook. I removed it anyway, and so far, Facebook is still returning my account when I search for my cell number.