Most people on Facebook may have had their public profile data hijacked: That was the blunt admission from the social network on April 4, as the company rolled out a series of privacy updates to its 2.2 billion monthly active users.
Until this week, anyone could search for another person using their phone number or email address. But the social network now admits that “malicious actors” could abuse the feature to “scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery.”
“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” Facebook’s chief technology officer (CTO), Mike Schroepfer, wrote in a blog post detailing the firm’s new data plans, adding: “We have now disabled this feature.” In this case, data would include names, profile pictures, cover photos, and ages.
The revelation was bundled alongside the news that 87 million people in total had been impacted by the Cambridge Analytica data misuse scandal alone. The misuse saw their personal account data being abused for political profiling purposes, after being scraped by a personality test application circulated on the platform in 2014.
The new number amounts to 37 million more profile than initially believed, but even Facebook admitted in its blog post that the figure was only an estimate.
“We do not know precisely what data the app shared with Cambridge Analytica or exactly how many people were impacted,” read the small print under a graph showing which parts of the world were most impacted. Residents of the U.S. made up more than 81% of victims, it revealed.
CEO Mark Zuckerberg said on April 4 the changes were made as “too many apps and too many folks who would have had access to people’s content.”
He explained: “What we found here is we built this feature, and it’s very useful. There a lot of people who were using it until we shut it down today to look up the people who they want to add as friends but they don’t have as friends yet.
“Especially in places where there are languages that makes it easier to type in a phone number or a number than for someone’s name, or where a lot of people have the same name, it’s helpful to have a unique identifier to disambiguate.
He added: “But I think what was also clear is that the methods of rate limiting this weren’t able to prevent malicious actors who cycled through hundreds of thousands of different IP address and did a relatively small number of queries for each one. Given that and what we know today, it just makes sense to shut that down.”
In the wake of the Cambridge Analytica incident, which resulted in Zuckerberg being called to appear before Congress this month, Facebook has been updating its privacy settings for users. It faced an unprecedented backlash from investors and social media was set ablaze by a #DeleteFacebook movement.
Experts suggest it could be a turning point for how internet users view security. “This is one of those situations that should be an eye opener to people on the importance of reading before clicking OK,” said Craig Young, computer researcher at Tripwire, a U.S.-based cybersecurity firm. “Many Facebook users are naturally upset about this situation but, in the end, the moral of the story here is that people need to be more considerate about what data they are sharing and with whom.”