Facebook admits hackers probably took your data … and maybe 2 billion other users
The taking of data by many firms – not just Cambridge Analytica – has likely affected a large cross-section of people in the developed world
Facebook said that “malicious actors” took advantage of search tools on its platform, making it possible for them to discover the identities and collect information on most of its 2 billion users worldwide.
The revelation came amid rising acknowledgement by Facebook about its struggles to control the data it gathers on users. Among the announcements Wednesday was that Cambridge Analytica, a political consultancy hired by then-presidential candidate Donald Trump and other Republicans, had improperly gathered detailed Facebook information on 87 million people, of whom 71 million were Americans.
But the abuse of Facebook’s search tools – now disabled – happened far more broadly and over the course of several years, with few Facebook users likely escaping the scam, company officials acknowledged.
The scam started when hackers harvested email addresses and phone numbers on the “dark Web” where criminals post information stolen in data breaches over the years.
Then the hackers used automated computer programs to feed the numbers and addresses into Facebook’s “search” box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and hometowns.
“We built this feature, and it’s very useful. There were a lot of people using it up until we shut it down today,” chief executive Mark Zuckerberg said in a call with reporters Wednesday.
Facebook said in a blog post Wednesday: “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped.”
Facebook users could have blocked this search function, which was turned on by default, by tweaking their settings to restrict the finding of their identities by phone numbers or email addresses.
But research has consistently shown that users of online platforms rarely adjust default privacy settings and often fail to understand what information they are sharing.
Hackers also abused Facebook’s account recovery function, by pretending to be legitimate users who had forgotten account details. Facebook’s recovery system served up names, profile pictures and links to the public profiles themselves. This tool could also be blocked in privacy settings.
Names, phone numbers, email addresses and other personal information amount to critical starter kits for identity theft and other malicious online activity, experts on internet crime say.
The Facebook hacks allowed bad actors to tie raw data to people’s real identities and build fuller profiles of them.
Privacy experts had issued warnings that the phone number and email address lookup tool left Facebook users’ data exposed.
Facebook did not disclose who the malicious actors are, how the data might have been used or exactly how many people were affected.
The revelations about the privacy mishaps come at a perilous time for Facebook, which since last month has wrestled with the fallout of how the data of tens of millions of Americans ended up in the hands of Cambridge Analytica.
Those reports have spurred investigations in the United States and Europe and sent the company’s stock price tumbling.
The news quickly reverberated on Capitol Hill, where lawmakers are set to grill Zuckerberg at hearings next week.
The Federal Trade Commission said last week that it would open a new investigation in light of the Cambridge Analytica news, and Wednesday’s revelations are likely to complicate the legal situation, said David Vladeck, a former FTC director of consumer protection who oversaw the 2011 consent decree.
“This is a company that is, in my view, likely grossly out of compliance with the FTC consent decree,” said Vladeck, now a law professor at Georgetown University.
“I don’t think that after these revelations they have any defence at all.” He called the numbers “just staggering.”
The data that Cambridge Analytica obtained relied on different techniques and was more detailed and extensive than what the hackers collected using Facebook’s search functions. The Cambridge Analytica data set included usernames, hometowns, work and educational histories, religious affiliations, and Facebook “likes” of users.
Other users affected were in countries including the Philippines, Indonesia, Britain, Canada and Mexico.
Facebook said it banned Cambridge Analytica last month because the data firm improperly obtained profile information.
Personal data on users and their Facebook friends was easily and widely available to developers of apps before 2015.
Facebook in March declined to say how much user data went to Cambridge Analytica, saying only that 270,000 people had responded to a survey on an app created by a researcher in 2014.
The researcher was able to gather information on the friends of the respondents without their permission, vastly expanding the scope of his data. That researcher then passed the information on to Cambridge Analytica.
Facebook declined to say at the time how many other users may have had their data collected in the process.
A Cambridge Analytica whistle-blower, former researcher Christopher Wylie, said last month that the real number of people affected was at least 50 million.
Wylie tweeted on Wednesday afternoon that Cambridge Analytica could have obtained even more than 87 million profiles. “Could be more tbh,” he wrote, using an abbreviation for “to be honest”.
Cambridge Analytica on Wednesday responded to Facebook’s announcement by saying that it had licensed data on 30 million users.
It has denied any wrongdoing in collecting or using Facebook data.