Facebook’s powerful search engine allowed any users to search for accounts by typing an individual’s phone number or email to locate the required person. While convenient and efficient, the ‘Search and Account Recovery’ function likely also helped “malicious actors” gain access to the personal data of “most” of Facebook’s two billion users, the company has admitted. Unless the user changed their setting to block the built-in search function, they were vulnerable to potential misuse of their data.
“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” Mike Schroepfer, Chief Technology Officer at the company, revealed in a blog on Wednesday.
“We’ve seen some scraping,” CEO Mark Zuckerberg acknowledged on a call with reporters, following Schroepfer’s revelations.
Third parties could easily gain access to user information by mining for raw user data on the Dark Web and then feeding random phone numbers and email addresses into Facebook’s search engine. In return, Facebook algorithms produced accounts with full names of people affiliated with the phone numbers or email addresses used, Schroepfer explained in his post. In addition to utilizing the search function to their advantage, the culprits could also use Facebook’s recovery function, by impersonating legitimate users to retrieve forgotten account details.
“It is reasonable to expect… someone has accessed your information in this way,” Zuckerberg noted. “I would assume, if you had that setting turned on, that someone at some point has access to your public information in some way.”
To tackle the security loophole, Facebook notified the public that they have now “disabled” this feature and are also making changes to account recovery to reduce the risk of ‘scraping’ as well. “We built this feature, and it’s very useful. There were a lot of people using it up until we shut it down today,” Facebook’s CEO said.
The revelation comes amid the growing Cambridge Analytica scandal which broke last month. While initially it was assumed that the London-based data mining firm gained access to “only” 50 million accounts, for political targeting and psychological profiling, including during the 2016 US election campaign, on Wednesday Schroepfer revealed that Cambridge Analytica harvested data from 87 million people, including 71 million Americans.
“In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica,” Schroepfer said, at a time when Facebook’s protection of private user data has come into question.
Facebook’s failure to properly shield its users has already forced thousands to terminate their social media accounts under the #DeleteFacebook campaign. As a result, Facebook’s stock has lost more than $100 billion in market value. Zuckerberg has since been called to answer questions before a British parliamentary select committee and to appear before a House panel in the US. The 33-year-old also apologized for the “breach of trust” and pledged to make changes in Facebook policy to prevent further data mishandling.