Facebook Bug Exposed 6 Million Users

jamaicaplain sends this quote from the NY Times: "Facebook has inadvertently exposed six million users' phone numbers and e-mail addresses to unauthorized viewers over the last year, the company said late Friday. Facebook blamed the data leaks, which began in 2012, on a technical flaw in its huge archive of contact information collected from its 1.1 billion users worldwide. As a result of the problem, Facebook users who downloaded contact data for their list of friends obtained additional information that they were not supposed to have. Facebook's security team was alerted to the problem last week and fixed it within 24 hours. But Facebook did not publicly acknowledge the flaw until Friday afternoon, when it published a message on its blog explaining the situation."

The bug was

[Anonymous Coward]

That it didn't expose them to advertisers.

Re:

[ozmanjusri]

Very little doubt about that.

About a year after Facebook reportedly joined PRISM, Max Kelly, the social network's chief security officer left for a job at the National Security Agency,

http://www.theatlanticwire.com/technology/2013/06/facebooks-former-security-chief-now-works-nsa/66432/ [theatlanticwire.com]

They have to fix it fast.

[140Mandak262Jamuna]

This highly confidential data is very valuable thing and the most important thing Facebook is selling to its "partners". Leaking this information for free without collecting revenue is highly detrimental to the company. They have since fixed the problem, it is all well and good. You now have to become a "partner" and pay the required fees to Facebook to get such confidential data.

Re:They have to fix it fast.

[swillden]

I feel funny defending Facebook, but unless they're blatantly violating their own published privacy policy, they don't sell personally-identifiable information to others. While it's possible they're intentionally violating their policy, I think that's unlikely.

Re:They have to fix it fast.

[PolygamousRanchKid]

I feel funny defending Facebook, but unless they're blatantly violating their own published privacy policy, they don't sell personally-identifiable information to others. While it's possible they're intentionally violating their policy, I think that's unlikely.

I feel funny defending the NSA, but unless they're blatantly violating their own published privacy policy, they don't spy on US citizens. While it's possible they're intentionally violating their policy, I think that's unlikely.

Re:

[swillden]

I feel funny defending Facebook, but unless they're blatantly violating their own published privacy policy, they don't sell personally-identifiable information to others. While it's possible they're intentionally violating their policy, I think that's unlikely.

I feel funny defending the NSA, but unless they're blatantly violating their own published privacy policy, they don't spy on US citizens. While it's possible they're intentionally violating their policy, I think that's unlikely.

Absent evidence to the contrary -- which we now possess -- I would agree. The thing about large-scale deceptions is that they tend to get outed. That applies both to government and private industry.

Re:

[girlintraining]

In Canada at least, Tor is awful. Because others can use your connection as well, if someone looks at child porn from behind your connection, you are guilty of distribution.

...Says the dude on the internet that apparently didn't read the note above the "Allow" button when he signed up for Farmville.

Re:

[girlintraining]

I feel funny defending Facebook, but unless they're blatantly violating their own published privacy policy, they don't sell personally-identifiable information to others. While it's possible they're intentionally violating their policy, I think that's unlikely.

...Says the dude on the internet that apparently didn't read the note above the "Allow" button when he signed up for Farmville.

Re:

[swillden]

I feel funny defending Facebook, but unless they're blatantly violating their own published privacy policy, they don't sell personally-identifiable information to others. While it's possible they're intentionally violating their policy, I think that's unlikely.

...Says the dude on the internet that apparently didn't read the note above the "Allow" button when he signed up for Farmville.

Actually, I never signed up for Farmville... and I don't even use Facebook any more :)

But, yes, if you explicitly give them permission to share your info then they have your permission.

Re:

[davester666]

Yes, they don't SELL pii to others.

They only RENT it.

What's a facebook?

[I'm New Around Here]

I don't act smug and superior when I tell people I don't have a Facebook page.

But I think I should start.

Re:

[l3v1]

You're not "smug and superior". You're full of ... reason.

Re:

[ebno-10db]

You're not "smug and superior". You're full of ... reason.

It's not an either/or situation - they make a great combo.

Re:

[Anonymous Coward]

I don't act smug and superior when I tell people I don't have a Facebook page.

But I think I should start.

You say you don't act smug and superior, but it is very interesting how much people on Slashdot feel the need to brag about not using Facebook.

Re:

[hurwak-feg]

I don't understand what acting smug and superior in saying you don't use Facebook will accomplish. I'm not saying it is a bad idea, I just want to know your reasoning before forming an opinion of your opinion.

Re:

[Anonymous Coward]

I used to use Facebook on perhaps a weekly basis. But, you soon find that the people who you typically "friend" - your family and people you know - just send around idiotic conspiracy theories, pass on bogus "tell all your friends about this" spam, lame ass religious notes, scans of old pictures from the 1970's, etc. Oh, and they sometimes yell at you for no good reason too. I'm glad I left and went to Google+ where you typically don't follow people you know IRL as much and, instead, engage with interesting

its like vkontakte for imperialist westerners

[decora]

also it kind of tends to break alot

Re:

[Anonymous Coward]

You're right, and I'm also tired of political correctness and respectful behavior at all costs. The crude truth is that those who don't use facebook are actually superior. Period.

If a person tells the world real name, friends, photos, what he/she does at any moment of the day and many other personal details that not even a spy agency would have, he/she is simply a dumbass. OBJECTION: how is it possible that there more than 1 billion dumbasses in the world? Sorry, it IS possible. Not nice to say it, but it

Re:

[Known Nutter]

OBJECTION: how is it possible that there more than 1 billion dumbasses in the world? Sorry, it IS possible.

This same set of fuckwits are also the ones complaining about the NSA shit. Now, the NSA by many accounts is up to some fucked up stuff, but for one to complain about being spied on while at the same time posting every boring detail of their life on facebook is the true mark of a mouth breather.

Re:

[Rod Beauvex]

Don't worry. Facebook will make a page for you.

Re:

[MogNuts]

Ha you should. I held out too all these years. Long story though, but I finally might be forced to use it. :(

On that note, because I don't want to give facebook that data to begin with and have it act as malware and scrape all my email accounts and browsing history (even if I'm logged out), I was thinking of the following. Let me know what you think Slashdotters:

1) Does running FB as a different user on the same machine (but obviously then running the same browser executable) preclude FB from getting the ot

Re:

[Douglas Goodall]

I used facebook for a while. I had to unfriend my grand-daughter because her teen chatter offended me, and I didn't want her to offend my other "friends" as well. I started to feel a loss of control when I realized the bizarre things that can happen when you introduce al the people you have ever known to each other. But the real reason I detached from FB was that I started to see the connections growing between them and the rest of the world. Every time I turn around on the Internet, some piece of softwar

Re:

[I'm New Around Here]

Then I started noticing web sites where you couldn't participate if you were unwilling to provide your FB credentials. There are a lot of news sites like that. When you want to comment on an article, up comes that FB login dialog.

In terms of growing risks, the more systems that are closely bound to FB, the bigger the disaster when something goes wrong.

Hello,

Original poster here, just wondered about something, if you don't mind. What browser do you use online? I use Firefox, with a few add-ons installed. One of them is called NoScript, and it disables all the automatic links you mention on websites. You can choose to enable individual scripts, either permanently or just for that visit. You would be amazed at the number of scripts running on various websites.

For example, I just opened another tab and visited a news story at NY Times to check. When I moved

Testing

[hurwak-feg]

It would be interesting to see their test cases. This seems like their test cases weren't very well thought out. Or the more cynical view is testing takes time and money to pay people to do the testing. Its cheaper to just deploy the application.

Re:Testing

[ebno-10db]

Test cases? We're talking about Facebook - the company that often tests software by just going live with it. Some people call this rapid development, but I call it sloppy garbage.

Re:

[140Mandak262Jamuna]

You call it sloppy garbage. The all knowing market with its invisible hand thinks it is worth a few billion dollars.

Re:Testing

[ebno-10db]

The all knowing market also brought us the tulip bulb bubble, and that invisible hand is reaching for your wallet.

Re:

[Pieroxy]

If you think you can keep something of the magnitude of facebook up 24/7 with no test cases you've not been in software development very long.

Re:

[ebno-10db]

FB is not up 24/7. It sometimes goes down for hours at a time (second hand info as I don't use it myself).

Furthermore, and rather obviously if you understand that not every passing snark is meant to be completely literal, my point was that they don't do very thorough testing before going live. I have no idea why anyone would be impressed by most of FB's "technology". They're hardly so bleeding edge that they can be forgiven such flakiness as an inevitable part of new technology. As a contrasting example, fi

Re:

[ebno-10db]

P.S. This comment below has some good insight. [slashdot.org]

Re:

[ebno-10db]

Call it what you like, the creators are billionaires and still have their youth.

By your logic I have no right to criticize the Deepwater Horizon catastrophe because BP is a big successful company.

Re:

[binarylarry]

They use PHP for fucks sake.

Re:

[ebno-10db]

Ebno's law: you can write bad code in any language, but some languages make it easier than others.

faceboo cannot arrest, imprison, rape, kill

[decora]

people, at least not that i know of.

people who cannot comprehend the difference between a priavte corporation, with your consent, sharing your information, and government agencies obtaining your email without warrant, are

1. uneducated
2. ignorant
3. i kind of worry about what their view on consent in other areas of life is, like sex.

Re:

[Anonymous Coward]

So, pretend Facebook sells your data to third parties and doesn't hand it all over to the government willy-nilly.

Then, realize that Booz Allen is a third party.

What does the NSA need your data for, when it can just hire a contractor who doesn't have fourth-amendment concerns?

Re:

[guttentag]

people, at least not that i know of.

people who cannot comprehend the difference between a priavte corporation, with your consent, sharing your information, and government agencies obtaining your email without warrant, are...

Facebook use leads to Arrest
5/26/13 In Britain, Police Arrest Twitter and Facebook Users If They Make Anti-Muslim Statements [businessinsider.com]

Facebook use leads to Imprisonment
5/25/13 Jailed for Facebook Comments, Marine Sues [wnd.com]

Facebook use leads to Rape
5/28/13 Facebook Rape Joke Prompts 15 Companies to Pull Ads [inquisitr.com]

Facebook use leads to Killing
2/09/12 Facebook "Defriending" Led to Double Murder, Police Say [reuters.com]

It seems you're right in that there is a difference between Facebook and the NSA. The NSA's system has a far cle

Re:

[aardvarkjoe]

aardvark's law: In any group of people, the majority are idiots.

Newsflash: stupid people use facebook. That doesn't make Facebook responsible for what they do.

Re:

[Doh!]

If only the NSA would let us join their social network we'd live in a safer world.

Good news! You can indeed join the NSA's social network. In fact you probably already have!

The NSA's PRISM social network works on practically any platform, on any device, even old landline phones! It integrates seamlessly with your email, SMS, and phone experience. PRISM auto-populates your contact list so there's no need to manually find and add your friends. Their strict privacy policy is the best in the industry — your personal data will never be sold or given to third party organizations or indiv

Most Appropriate Slashdot Mobile Ad Ever

[guttentag]

The ad that came up on this slashdot page was:

How long will you live? The Cookie will tell you!
Subscription $10/Mt

At first I thought it was a sarcastic commentary about Facebook browser cookies having more information about you than they should, and having to pay to get the information out of them. Or perhaps the existence of Facebook cookies in your browser telling advertisers something about your intelligence, like users of IE versus Chrome. Then I noticed the fortune cookie drawing next to it. And I thought capchas were nearing sentience when they began to exhibit a sens

The bug that exposes your info

[FuzzNugget]

It's just called "Facebook"

Criminal Liability?

[Secret Agent Man]

Is there any sort of punishment available for this? When a company hoards massive amounts of data, and it gets leaked, does anything happen other than "sorry, guess we goofed"?

This is one of the many reasons I don't like companies (or the government)sitting on so much data like this: If they have it, someone else will get it.

Re:

[thegarbz]

The problem with criminal liability for software bugs is that there wouldn't be any software if the risk of punishment was high. Making a perfectly bug free system is incredibly difficult, even more so if the bugs can be due to someone else's software (like MySQL or something similar, or the OS).

CODE SCHMODE

[JeanInMontana]

Facebook code is rewritten every Tuesday. On Wednesday expect things to be FUBAR and forget weekends when use is even higher. Anyone with an account must accept the fact they are in no way safe, secure or private in anyway no matter how diligent one is in trying to keep up with the ever changing settings and reverts to default.

Phone numbers..WTF?

[Anonymous Coward]

What sort of moron give stheir phone no. to facebook?

where did FB get my phone # and birthday?

[RavenManiac]

I didn't give it to them. Neither are mentioned in any posts.

I don't want to display that and wish to delete. Does Google+ do that? I suspect they can, but may not.

HA!

[JoeCommodore]

I don't have nay friends! :-P

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jones_supa]

The trick it that the datamining and stuff happens behind the scenes, and thus people do not sense their privacy being compromised. When people get to choose what they upload to the site, and they can set in the preferences which users can see the material, they feel that they are in control well enough and feel protected enough to keep using the site. They never receive the report stating where their data was sent to (with unlimited access to it), what kind of complex advertising profiles were created base

Security kudos

[AnotherAnonymousUser]

You have to admit, for all the Facebook bashing that happens, the fact that hacks, break-ins, and bugs of this nature are so uncommon, given that they're dynamically managing a userbase of a billion people, is an impressive task.

When break ins or bugs do occur, they happen in a very big and very bad way, as a single bug affects millions, and there's a lot of people I wouldn't want seeing my personal data. Most of us here seem to take the stance of locking down our Facebooks, keeping what's posted at a minimum, and generally keeping it at a distance with a ten foot pole, but there's admittedly very little respect for Facebook managing to be more or less secure from a technical standpoint. Now, their change deployment policy is god awful, but that's a different piece altogether...

Re:

[ebno-10db]

You have to admit, for all the Facebook bashing that happens, the fact that hacks, break-ins, and bugs of this nature are so uncommon, given that they're dynamically managing a userbase of a billion people, is an impressive task.

I have to admit no such thing. First, there are a billion accounts, not a billion users (many users have multiple accounts), and many accounts are largely dormant. FB loves to hype their numbers. Second, there are hundreds of millions of bank accounts in the world, many of them now accessible online. Financial networks have been around since the 60's and have gotten much more sophisticated. While not perfect, they're incredibly more reliable than FB, otherwise we'd all be keeping money in mattresses. People

Re:

[Pieroxy]

Waitwhat? Do you think Facebook communicates on all break-ins and hacks that happens? That's assuming they discover them all which is pretty unlikely IMO.

No, what we see in the news (such as today's news) is just the tip of the iceberg. How deep does the iceberg really goes, nobody will ever know. Look at Stuxnet!

Funny how that works.

[WOOFYGOOFY]

It's never advertiser's emails and contracts and deals that get exposed, although one can assume these things are held electronically and have a great deal of value to someone, certainly more value than the 0.25 -$1.00 lifetime value Average FB User's email is worth .

Not saying companies deliberately release their users emails so that when that information later figures as evidence in a crime / scam / scandal FB has plausible deniability.

get ev\eryone's email and personal info.
pretend to "lose" some .
???
pr

In related news

[gmuslera]

Facebook design exposed 1 billon users. And Facebook home country exposed 6 billon users. When you put things in perspective nothing really matters anymore.