Facebook Confirms Data Breach 155
another random user writes "A researcher by the name of Suriya Prakash has claimed that the majority of phone numbers on Facebook are not safe. It's not clear where he got his numbers from (he says 98 percent, while another time he says 500 million out of Facebook's 600 million mobile users), but his demonstration certainly showed he could collect countless phone numbers and their corresponding Facebook names with very little effort. Facebook has confirmed that it limited Prakash's activity but it's unclear how long it took to do so. Prakash disagrees with when Facebook says his activity was curtailed." Update: 10/11 17:47 GMT by T : Fred Wolens of Facebook says this isn't an exploit at all, writing "The ability to search for a person by phone number
is intentional
behavior and not a bug in Facebook. By default, your
privacy settings allow everyone to find you with search and friend finder
using the contact info you have provided, such as your email address and
phone number. You can modify these settings at any time from the Privacy
Settings page. Facebook has developed an extensive system for preventing the malicious
usage of our search functionality and the scenario described by the
researcher was indeed rate-limited and eventually blocked." Update: 10/11 20:25 GMT by T : Suriya Prakash writes with one more note: "Yes, it is a feature of FB and not a bug.but FB never managed to
block me; the vul was in m.facebook.com. Read my original post. Many other security researchers also confirmed the existence of this bug; FB did
not fix it until all the media coverage." Some of the issue is no doubt semantic; if you have a Facebook account that shows your number, though, you can decide how much you care about the degree to which the data is visible or findable.