This is like your bank saying it's not their fault your money was stolen because someone took it away without permission. The point is that Facebook has a responsibility to keep the data you provide them secure. But the purpose of this press release is to make this responsibility seem either trivial or nonexistent.
You can show them that this responsibility is paramount. Stop giving them your data.
> It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.
But if you click on the "related post" at the bottom of the page, "Taking Legal Action Against Data Scraping" (Oct 2020) [0], you'll see this sentence:
> Scraping is a form of data collection that relies on unauthorized automation for the purpose of extracting data from a website or app.
It would be interesting to hear Facebook PR team describe the difference between "Hacking" and "Unauthorized Automation", and why apparently the latter is nothing to worry about now, but was sufficient to generate lawsuits in October.
> It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.
.. a couple paragraphs later ::
> We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019.
Gee, that sounds a lot like someone abused your contact importer tool to do something you didn't intend for it to do. Which is also the definition of other "hacks", like SQL injection
It reminds me of their Cambridge Analytica defense. Create an Open API, make all the data available to anyone who signs up for an API key, document and market the methods for extracting the data, define its boundaries and limitations, build a platform around it, and then claim you're the victim when one of your users does something bad with the data you gave them.
> Gee, that sounds a lot like someone abused your contact importer tool to do something you didn't intend for it to do.
From the article it appears that the contact importer is an API endpoint which returns a set of Facebook profiles given a set of phone numbers. In that sense, it did exactly what the developer intended.
If I write a script to query google.com and get a response back you could say I'm not using google search as intended, but most software engineers would laugh at me if I claimed to have "hacked" Google in this way.
"Facebook confirmed to me that the vulnerability was genuine, that the exploit would enable a “bad actor” to connect phone numbers and user details, and that it has prompted changes to be made. They pointed out to me that the exploit process is “complex,” but nonetheless did leave the platform open to abuse and put users at risk."
At a certain level the question is academic, and lawyering over definitions only distracts from the bigger picture. I trusted Facebook with my mobile number. They permitted bad actors to mis-use their service, and now bad actors have that number. Facebook should be held accountable. Whether it was through SQL injection or a poorly-thought-out API is academic.
It's almost what they intended. It was an internal API that they never thought would be exploited. (I.e. used by third parties.) Calling it scraping is a pretty fat lie.
I've just checked. My phone number is in the data set. I've never set my phone number public so no one should have been able to 'scrape' it.
On a side note, I remember learning about this feature, or maybe an earlier incarnation, a few years ago when a friend showed the the profile of a girl he just met at a bar. The girl had a pretty common name so I asked my friend how he looked her up, did they have friends in common. I was really just curious how FB would now which person to show. He said "no, she gave me her number and you can look them up like so and so". (I can't remember whether you could search for the number or had to create a contact, but it's besides the point.)
I was pretty baffled because it was obvious that you could just create a very powerful white pages type of db pretty easily. Which someone apparently did for half a billion people.
This also explains how someone managed to call me from a UK number a few weeks ago trying to sell me some news paper subscription. They said they were from the "Herald digest". And they did know my name (so it wasn't just dialling random numbers.)
> In that sense, it did exactly what the developer intended.
Not sure they envisioned someone enumerating phone numbers and pulling all data. But that would be hilarious if they claim that's what they intended and that was a feature.
I thought the same thing. Is there another explanation for what this might mean?
Scraping to me is what google does, exploring links, saving and parsing data.
The contact importer presumably sourced data from iOS, google, outlook or similar address books.
You shouldn’t normally get data out that way, was it returning unexpected results from partial matches?
Maybe you could view a profile page by uploading an address book with partial, stubbed data. This page that then normally wouldn’t have been accessible to the user then was and those and any connected profiles were then crawled and scraped?
It seems to me you used to be able to view an otherwise private profile if the person had extended a friend request.
right, they make it sound like it was publicly available data, but it was data unintentionally made public.
Sort of like saying "people scraped publicly available information from our website" when someone grabs passwords from a public-facing MongoDB database without a password.
You can choose to make your email on your profile public. Take a look at the number of emails exposed vs. the number of phone numbers exposed, there's a reason why it's a small portion, most people don't make that public.
This was just an attacker abusing "Who can look you up using the phone number you provided?" for users where this was set to the default of "Everyone" and then scraping the public details for the profile that popped up.
This is incorrect. Private phone numbers not publicly shown on your profile via the UI are included.
Mark Zuckerberg's own phone number was included, and you can bet he would never intentionally release that nor is he likely to misconfigure his privacy settings and leak it due to user error
Yeah, seems like the definition of hacking what happened there. I mean Facebook could have at least rate limit or block this, but they had no mitigation. They even admit of having fixed it afterwards.
Don't really want to defend Facebook, but the amount of cynicism and bad faith here is too much. This article should be welcome, it gives us more information on what happened. It clarifies that this was not some sort of database leak (which is much more damaging), but a API abuse that allowed bad actors to figure out people's phone numbers. Overall article brings transparency to the situation, which is good.
I would have preferred if this were a database leak. At least that would have shown some effort towards protecting user data. The fact that it was acquired through a public-facing API makes it much worse, in my opinion, as it shows Facebook isn’t that concerned about protecting sensitive data.
I'm curious if the repeated negative press Facebook has received has impacted their hiring. Boots on ground perspectives appreciated, but I can share a data point of one: I'm a very average developer, and I get at least quarterly reach outs from Facebook-- a higher frequency than I've ever heard from any FANG (or any company in general). I used to get ads on the platform for FB Engineering jobs. After I deleted the app, I started getting ads in my LinkedIn feed for FB engineering. They might have a hefty recruiting budget, or there could be challenges. On the other hand, all the negative press might attract some candidates that disagree with the media.
As long as they pay top of market (and they do), people will work for them. FB consistently beat Google and other top employers by non-inconsequential figures.
There's also the case of Google being ethically bankrupt as well (undisclosed DoubleClick tracking backdoor in Chrome).
I don't see the argument that FB is worse than Google. Google will snoop on your private messages for information that they can use to feed their advertising machine, and they have an entire browser dedicated to ad networks (they regularly implement insecure APIs that are immediately abused by DoubleClick customers, including on high profile sites).
n=1, but a friend had offers from Google and Facebook, and went to Google largely because it wasn't Facebook.
In my highly educated circles, McKinsey is held in higher esteem than Facebook. Thinking about that now, a few years of selecting for people who "disagree with the media" and are content with burning down society for a quick buck would really explain a lot.
If you work at Facebook and you feel compelled to tell me why your personal Faustian bargain was actually not such a bad thing, read Mistakes Were Made (But Not by Me).
I know a guy who joined FB as a software dev manager a few years ago and left in less than a year. (Maybe after just six months.) He is definitely pretty critical and sometimes hints at how the internal culture is problematic and causing some of the issues visible from the outside. (He doesn't tell too much, though, for obvious reasons.)
I have also noticed that more than half of my recruiter emails seem to come from Facebook, i.e. that they amount for more than every other company put together.
"Scraping data using features meant to help people violates our terms. We have teams across the company working to detect and stop these behaviors."
Hmm, that's interesting. I read about a court case recently that seemed to say scraping was okay and also that companies shouldn't work to prohibit scraping.
Like when they used to show your name & profile picture after a failed login with just an email and empty password. Aside from being another inadvertant information leak, it would have been tragic if that was part of an attempt to decrease the (deliberate) login failure rates.
Oh, wow. I can confirm that said "feature" is still live. People's names and profile pictures show up after entering their email address in the login form shrug
I believe that was changed to only happen on a browser you've used that account with before. I haven't checked, so I could be wrong. Still not great if you login to your account on a public system.
The attitude that this company (and many others) has towards the data they collect from billions of people is stunning. They claim that there was nothing they could do, even when one of their tools was misused to gather phone numbers. They don't take accountability for the fact that this likely already has and will continue to enable spammers and scammers to much more easily target their users. They refuse to send out notifications to affected users (which they should have done 2 years ago). We need legislation punishing companies for being negligent with the sensitive user data they collect or this shit is never going to end.
Data they collect by abusing android and other permission systems, reading contacts in adjacent apps like WhatsApp, etc. Its gluttony that they are now pretending is a moral high ground.
I can only speculate but what I think we are seeing here is a statement made in earnest by a corporate communication team, crafted with significant input from a product team. To admit that this was an intrusion would be severely career limiting. So they explain it in a hand-wavy fashion, enough to get the Comms people off their back. The end result is this unsatisfying explanation.
Just speculation. There has to be a method to the madness that is Facebook press releases.
> "We’re focused on protecting people’s data by working to get this data set taken down".
I am sorry but that ship has sailed. I have already received several spam messages at the unique email address I used only for Facebook login, so the data has been spread very wide at this point.
My phone number was removed and my account deleted when they say this hack happened. My phone number is in the leak. Doesn that mean that my phone number was in it because other people's contacts were imported, or because they didn't actually delete my info?
The contact importer should not be turning up deleted Facebook accounts, so it seems like Facebook was keeping data on you even after you deleted your account.
If you are an EU resident, this can be a GDPR violation so you should follow up.
Deleting my Facebook account has been one of the most mentally liberating and satisfying decision I have made in the last year. I used a Chrome addon to totally delete every post and clear everything out too--why let them have anything even when I'm gone.
Facebook is amazing to me, no matter what the issue, the company responds in a weird PR speak dialect that evokes circa 1990 Phillip Morris. They have a weird voice.
I remember the pop ups to please add your phone number, you know, just for security! They promise to never show this to anyone... and then this happens.
They are profiling like crazy. I'm pretty sure they have at least an estimated income attached to almost every single of us. Also, they do have credit card numbers for those who buy ads.
You can show them that this responsibility is paramount. Stop giving them your data.