Personal data of 170 million Facebook users exposed, collected, and shared without any hacking
Using publicly available information on Facebook, a researcher has been able to gather personal details of nearly 170 million users of the service, or about a third of all users. The data includes names, addresses, e-mails, phone numbers, and birthdays: essentially anything that was not marked as private is now part of this file.
The file has now ended up on The Pirate Bay, and so far has seen over 10,000 downloads. This could mean hackers would have an easy way to obtain personal information necessary for identity theft and other malicious uses.
Skull Security researcher Ron Bowes was the man behind the work. He did not hack into the service at all but rather scraped the data from Facebook's open directory. While it's a violation of the social networking site's terms of service, nothing is stopping anyone from doing it.
Bowes has decided to make the file a torrent, even though he acknowledged that the more info an attacker had on a person, the higher likelihood of a security breach. His move is somewhat curious considering he arguably could be held liable for attacks as a result of his actions.
Even so, the incident could prove to be a wake up call for those sharing data on Facebook. "I am of the belief that, if I can do something then there are about 1,000 bad guys that can do it too," he told the BBC News Thursday.
"For that reason, I believe in open disclosure of issues like this, especially when there's minimal potential for anybody to get hurt. Since this is already public information, I see very little harm in disclosing it," he argued.
Facebook Spokesperson Andrew Noyes told several media outlets that this was public information and no private information had been disclosed as a result of Bowes' work. The quick downplay of the data leak is probably due to the drubbing the social networking site has taken when it comes to privacy as of late.
To ensure that your own data is not at risk, users of Facebook should take the following steps. Click on "Privacy Settings" under the Account menu option. Ensure that information is not set for "Everyone" to view. Alternatively, the user can also uncheck "Enable Public Search" which would take the account out of the directory Bowes used to do the data mining.
The Skull Security website was inaccessible as of Thursday afternoon.