Facebook wants to normalise news about leaks, new data leak surfaces

Get a free Techzine subscription!

Facebook wants to deflect attention from its recent data breach by creating an image that scraping incidents occur across the industry. Meanwhile, a new tool has surfaced that can retrieve the email addresses of Facebook users.

The new media strategy is was leaked from an internal email held by Data News. The e-mail came from Facebook’s communications department and was intended for the PR department of the EMEA region. The e-mail shows that Facebook has no intention of making any additional statements about the recent data leak. Among other things, the telephone numbers of over half a billion Facebook users were exposed. By remaining silent about the problem, Facebook hopes that media attention about the data leak will fade away.

Normalise news about data breach

However, the e-mail also describes a long-term strategy. Facebook wants to spread the idea that data scraping is a general problem that affects the entire industry. The focus should therefore be more on the work that Facebook is already doing to combat data scraping. By being more transparent about this, the company wants to counter criticism that it is not transparent about specific incidents.

Facebook has a point by saying that the scraping of user data is a problem that occurs more widely in the industry. This was proven only a few days after the Facebook data leak when the data of half a billion LinkedIn users were also offered for sale online. Here too, the information was gathered by scraping profiles from the platform. The same thing happened to Clubhouse. 1.3 million of its user data appeared on a hacker forum.

The way Facebook dealt with the data leak, however, can certainly be blamed on the company. At the beginning of 2017, an ethical hacker informed the company that it was possible to retrieve telephone numbers of Facebook users in large numbers. However, Facebook pretended that it was no big deal and only came up with measures after more than a year. These measures were apparently not enough because it was not until August 2019 that the problem was actually solved. The leaked data is from 2019.

In the email, Facebook already told that the company expected similar incidents to occur more often. Ironically, the company didn’t have to wait long for that. This week, a tool was released with which the e-mail addresses of Facebook users can be traced. The tool was developed by a researcher and is called Facebook Email Search v1.0. With the tool, it is possible to link Facebook accounts to up to 5 million e-mail addresses per day.

The researcher shows ArsTechnica how he can, with a trusted Facebook account, link 6000 e-mail addresses to their corresponding Facebook users within a few minutes from a list of 65,000 e-mail addresses. If Facebook blocks the account used, the researcher can easily switch to another address. The researcher was able to obtain 250 trusted Facebook accounts for ten euros.

The researcher informed Facebook about the vulnerability, but the social medium initially did not consider it important enough to solve. That is why he shared his story with Ars Technica, under the condition that he could remain anonymous. It was only after Ars Technica contacted Facebook that the platform took action.

In a statement, Facebook says: “It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings.”

Facebook has since fixed the vulnerability by shutting down the technique used by the researcher. Still, it is notable that the vulnerability had to be shared in the news first, before Facebook proceeded to take action.

Tip: Irish privacy watchdog starts investigation into Facebook incident