Facebook urged to tighten privacy after data on thousands of users harvested

Facebook has been urged to tighten its privacy settings after a software engineer was able to harvest data about thousands of users, including their mobile numbers.

The developer obtained the names, profile pictures and locations of users who had linked their mobile number to their Facebook account but had chosen not to make it public.

Security experts said the loophole would allow hackers to build enormous databases of Facebook users for sale on internet black markets. “They should be attempting to prevent the wide-scale hoovering up of data, and I’m disappointed to hear that they appear to have failed on this occasion,” said Graham Cluley, a computer security analyst.

Reza Moaiandin, the software engineer who discovered the flaw, exploited a little-known privacy setting allowing anyone to find a Facebook user by typing their phone number into the social network.

By default, this “Who can find me?” setting is set to “Everyone/public” – meaning anyone can find another user by their mobile number. This is the default setting even if that user had chosen to withhold their mobile number from their public profile.

Using a simple algorithm, Moaiandin generated tens of thousands of mobile numbers a second and then sent these guesses to Facebook’s application programming interface (API), a tool that allows developers to build apps linked to the social network. Within minutes, Facebook sent him scores of users’ profiles – and thus allowed him to identify which of the guessed phone numbers was correct.

Cluley said Facebook should make it “as difficult as possible” for third parties to scoop up even the publicly shared information belonging to Facebook’s 1.5 billion users.