Updated on April 4 at 5:14 p.m. ET
It seems like an innocuous enough feature. Until Wednesday, anybody on Facebook could enter a phone number or email address and find the Facebook profile associated with it. Useful if you’re searching for “John Smith” or its global equivalents.
But now imagine that someone has a list of email addresses or phone numbers that have been gathered outside of Facebook. With a simple script, that person could simply enter phone number after phone number and create a database of Facebook profiles, including whatever public information was available there.
And it appears that this, indeed, happened. In an announcement on the company’s plans to restrict data access by outside companies, Facebook noted:
Malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.
“Most people on Facebook” means that we’re talking about at least a billion users whose public Facebook information has been spirited away into databases unknown.
This is the latest in a series of revelations about data leaking out of Facebook’s massive storehouses of user information. This new round was touched off by the revelation that Cambridge Analytica, acting through affiliates and researchers, built a database of tens of millions of profiles.
Specific to Cambridge Analytica, Facebook announced that they believe the data from 87 million profiles may have been exfiltrated by the company, mostly in the United States. That’s a large increase from the 50-million-profiles number that’s been at the center of the discussion, and represents a substantial chunk of Facebook’s American user base.
In a conference call with reporters to discuss Facebook’s recent moves, CEO Mark Zuckerberg said that he wasn’t sure precisely how many people were affected, but repeated that the sophistication of the scraping led the company to think that most people’s profiles might have been hoovered up.
Facebook had already “rate-limited” these types of searches, preventing people from just typing hundreds of numbers into the box over and over, but “malicious actors” whom Zuckerberg did not identify were able to work around that safeguard. They “cycled through hundreds of thousands of IP addresses and did a relatively small number of queries for each one,” Zuckerberg said.
Users do have a privacy setting that could prevent them from being searched by phone number or email address, but few people had it switched on because most people didn’t (and never do) change the default.
The bottom line, Zuckerberg said, is that “if you had that setting turned on, I would assume that someone has accessed your public information in that way.”
We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.
