This May, Mark Zuckerberg celebrated his 35th birthday. Congratulations! Zuckerberg did not make it to this milestone quietly, however. Instead, he faces a federal investigation looking at ways to hold him personally accountable for mismanaging users’ private data while Facebook-related scandals keep making headlines. In this post we have compiled Facebook’s 10 most prominent fails involving data misuse.
1. Cambridge Analytica: How it all began
It all started with the Cambridge Analytica scandal. Back in early 2018 we all learned for the first time with 100% certainty that the data and opinions we share across Facebook can be used by a third party without our consent. Cambridge Analytica’s harvesting of the data of 50 million Facebook users and its use of that data for political advertising shook the world, but it was only the beginning. To review those events, you can read this post.
2. Facebook tokens stolen
Half a year later, another scandal caught up with Facebook: Hijackers were able to exploit several vulnerabilities in Facebook and steal the access tokens (which are basically an equivalent of digital keys that keep people logged in) of millions of Facebook users.
In total, 30 million users had their tokens stolen. For 15 million, malefactors accessed their names and contact details. In 14 million cases, the attackers were able to see more detailed info and the users’ Facebook activities. For the remaining 1 million, the hijackers did not access any information. That was when Facebook users learned that Facebook is not impregnable and that their accounts could be stolen en masse without them doing anything wrong.
3. Facebook and Instagram passwords exposed
If 30 million wasn’t enough, another incident came along involving hundreds of millions of Facebook and Instagram users. In early 2019, Facebook made us aware that its internal processes related to user data security are far from perfect. The company admitted it was storing part of the passwords for Facebook and Instagram accounts in plain text. They insisted these passwords were visible to employees only and that no one abused their access permissions.
At this point, the exact number of affected users has not been disclosed. First, the company commented that the problem involved hundreds of millions of Facebook Lite users, tens of millions of regular Facebook users, and tens of thousands of Instagram users. One month later, it amended its comment to say the issue (now patched) affected not tens of thousands, but millions of Instagram users.
4. Instagram passwords exposed again
Actually, that was not the first time Instagram users learned they could’ve had their passwords leaked. Several months earlier, Instagram’s “Download Your Data” feature was discovered to contain a security flaw (now patched) that could have inadvertently exposed some Instagram passwords. If someone submitted their login information to use the feature, their password was included in a URL in their Web browsers and — again — stored on Facebook’s servers in plain text.
5. Facebook requested e-mail passwords and scraped contacts
Facebook scraped the e-mail contacts of 1.5 million users without their consent. Wait, it’s actually a bit more complicated than that. Here’s the story: Facebook was asking a subset of newcomers to verify their identities by providing passwords to their e-mail accounts. When the news broke, many thought it was an April Fool’s joke; no savvy Internet surfer could even imagine granting a third party access to their e-mail communications. Unfortunately, it was not a joke. And many fell for it.
Facebook insisted it didn’t access the contents of the users’ e-mails, just — unintentionally — scooped up their e-mail contacts. In total, the address books of 1.5 million users have been harvested. But given that people’s contact lists may have hundreds of contacts, the final number of those whose contact details were obtained this way may well be in the tens of millions. The company says it used the data to improve ad targeting, build Facebook’s web of social connections, and recommend new friends to users.
6. 2FA with Facebook, a tool for advertisers
Of course, we all want to keep our accounts safe, and two-factor authentication seems like an ideal way to do that. But even here, potential issues arise. For example, the phone number you provide when enabling two-factor authentication for your Facebook account will be automatically associated with your profile — without an opt-out option. As a result, anyone, regardless of whether they even have an account, can look up your user profile based on this phone number. Bonus: Facebook might also target the number with ads.
7. Your contacts are never safe from advertisers
As we mentioned tangentially above, Facebook and Instagram were giving advertisers access to contact information that users hadn’t even stored on Facebook! In other words, advertisers were (and, probably, still are) targeting us relying not only on the e-mail addresses and phone numbers we indicate on our “contact and basic info” page, but also on other data.
This data can include the phone number (if any) you put in for 2FA purposes and the junk e-mail addresses you hand over for discounts or for furtive online shopping. Also, if any of your contacts chooses to share (“synchronize”) their contacts with Facebook or uploads their address book to Facebook — to “find friends” — and their contact list includes a phone number of yours, even if you never entered that information anywhere on Facebook, advertisers will be able to target you with an ad using that phone number.
8. More Facebook data shared with advertisers
Facebook was tapping users’ data as leverage over companies it partnered with, leaked internal documents showed. For example, Amazon.com, which was spending significant sums on Facebook advertising, could obtain users’ names and e-mail addresses through their friends (as could Sony, Microsoft and many others).
Microsoft’s Bing search engine was allowed to see the names of virtually all of our Facebook friends without our (or their) consent. Netflix, Spotify, and the Royal Bank of Canada were given privileges to read, write, and delete our private messages, and to see all of the participants on a thread. Apple devices had access to the contact numbers and calendar entries even of people who had changed their account settings to disable all sharing.
The companies involved stated they never misused the data they accessed, and some said they didn’t even know they had such “extended” rights.
9. Facebook Marketplace leaked sellers’ exact locations
A flaw (now patched) in Facebook’s digital marketplace was exposing sellers’ exact locations (precise latitude and longitude coordinates), and by extension, their goods. To see the location, it wasn’t even necessary to log in to Facebook, leading some researchers to call the service “a shopping list for thieves.” That was especially worrying for those who were selling expensive bicycles, because those are a tasty morsel for criminals, and Marketplace was basically giving those bikes away to them by exposing the sellers’ location.
10. Facebook data exposed — by a third party
Two databases containing Facebook users’ information were found on the open Web, storing the data in plain text, allowing absolutely anyone to access and download it. One set of data came from a Facebook game application called “At the Pool,” which fell into disuse a long time ago. The second one, containing more than 540 million records, belonged to Cultura Colectiva, a Mexican media company operating throughout Latin America. Both exposed databases included the names and e-mail addresses of users, their friends’ lists, likes, comments, and all kinds of details that serve as means to analyze preferences and interests.
Although the information was not particularly sensitive, and Facebook’s own staff had nothing to do with the exposure, it still raised (again) questions of how Facebook is sharing users’ data with third parties, and echoed the Cambridge Analytica scandal that kicked off this post.