Facebook Accounts Hacked and Exposed
The details of 100 million Facebook users - a fifth of the social networking site's members - have been posted online by a security analyst, in a stark demonstration of the potential privacy weaknesses of social networks.
In a detailed blog post, Ron Bowes of Skull Security explained that he used a simple piece of code to perform the scrape, which took any data not already locked down within personal privacy settings. However, as of this morning, his web site and the blog post were unavailable.
The list of users has been shared on peer-to-peer site The Pirate Bay, and included in the packaged files are names and Facebook URLs.
Facebook is calm about the hack, explaining that the information that was taken had already been made public by users.
"This information already exists in Google, Bing, other search engines, as well as on Facebook," the social network said.
"No private data is available or has been compromised. Similar to a phone book, this is the information available to enable people to find each other, which is the reason people join Facebook."
However, the firm is investigating whether the collection of information in this way was a violation of its terms and conditions.
Graham Cluley, senior technology consultant at security firm Sophos, concurred with Facebook's stance, explaining that it was enabled by lax user controls.
"This wasn't really a 'hack' as such, as the guy who collected this information didn't have to break into accounts to access the information," he said.
However, Cluley added that, rather than highlighting an issue with Facebook's security in itself, the attack had displayed a lack of knowledge and awareness among users, and is indicative of the way Facebook makes it difficult for users to control their own accounts.
"Facebook has gradually eroded its users' privacy over the years in an attempt to share more information with the rest of the internet," he said.
"The only information in the torrent file is the user's name and Facebook URL. If they had also scooped up other information from the profiles (which is publicly available) then that would clearly be more dangerous."
Cluley said he hoped the incident would prompt social network users to harden their security settings.
"Facebook users need to wake up to the risks of sharing too much information online, and examine their Facebook security settings closely to ensure that they are not divulging too much to people they don't know."
The way that the apparent vulnerability was exposed and shared also drew scorn from Cluley, who suggested that Bowes had acted irresponsibly.
Bowes said that he took and published the details to highlight the problems people face using Facebook, but Cluley remained sceptical.
"In my view his collecting of this data, although not illegal, was irresponsible, and I cannot imagine that he has done anything to make the internet a more secure place through his actions," he said.
Return to security news headlines
View Security News Archive