Facebook breach: user phone numbers exposed but who's to blame?

Facebook breach: user phone numbers exposed but who's to blame?

Summary: The latest privacy breach on Facebook can't be fully blamed on Facebook. This time, users are the ones putting themselves at risk.

SHARE:

There's a privacy breach of sorts underway on Facebook right this minute - and it involves your phone number.

But before you go blaming Facebook for this one - and, yes, the company should share in the blame - we, the users, are the ones who deserve a slap on the hand this time. The Los Angeles Times today profiled a new service called Evil, which scours public Facebook pages for phone numbers and then exposes all but the last three digits, along with the person's name and Facebook picture on a Web page.

If you've ever typed your phone number on a Facebook wall, maybe as part of a small group or just to tell a friend to call you, it could be out there for anyone on the Web - even non-Facebook members - to see, depending on the privacy settings in place for that wall.

That's where Facebook's share of the blame comes in. Facebook has once again compromised user's privacy settings by not only making the process more complex but by making it an opt-out process, instead of opt-in. Users may not necessarily be aware that their wall page is set for everyone - the entire Internet - to see. So when they announce to their friends that they've lost their phone on a Facebook wall and friends reply by posting their phone numbers... well, you end up on Evil.com.

Also see: Facebook's privacy timeline: Possible backlash or just evolution?

The developer, Tom Scott, told the Times that he's not looking to expose the phone numbers but rather to send a message to users that Facebook can't truly be secure until users start acting responsibly about what they post. Facebook can only do so much. On the Evil home page, Scott explains:

There are uncountable numbers of groups on Facebook called "lost my phone!!!!! need ur numbers!!!!!" or something like that. Most of them are marked as 'public', or 'visible to everyone'. A lot of folks don't understand what that means in Facebook's context — to Facebook, 'everyone' means everyone in the world, whether they're a Facebook member or not. That includes automated programs like Evil, as well as search engines... Evil uses the graph API to search for groups about lost phones. It picks them at random, extracts some of the phone numbers, and then shows them here.

Scott also said that he isn't doing anything that anyone else couldn't do manually - even just by way of a Google search. The service, which Scott developed and is hosting on his own site, is not evil - but it could be. He writes:

It's called Evil, not diabolic. Those digits are publicly available though, and I - or anyone malicious - could easily flick a metaphorical switch and show them here. Or produce a phone directory. Or nick them for marketing. Don't forget, the Facebook pages you "Like" are public too.

By the way, Scott says he's looking for work doing web, video and viral stuff. Hopefully, Evil becomes viral enough for people to go in, delete posts with their phone numbers and be more careful in the future.

Topics: Telcos, Mobility, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

63 comments
Log in or register to join the discussion
  • RE: Facebook breach: user phone numbers exposed but who's to blame?

    [i]Facebook has once again compromised user?s privacy settings by not only making the process more complex but by making it an opt-out process, instead of opt-in.[/i]

    While users should be more careful about what they post... this statement is the most important. It would protect stupid users from themselves. It is a shame facebook just doesn't get it. My guess is, after their new upcoming changes... they still won't.
    Badgered
    • RE: Facebook breach: user phone numbers exposed but who's to blame?

      @Badgered

      and seeing as Facebook is constantly changing things they have to keep in mind that there are actually people that do not check their facebook every waking minute of every day. I may hop on once or twice a week at most.
      bobiroc
  • Your phone number will be safe if you switch from Windows

    At least that is what Jason Perlow would have us believe. If anything goes wrong on Facebook, it is probably Windows' fault and switching to Linux will hide your phone number again. Or so the story goes.
    NonZealot
    • Only in this case we know the cause while with Jason the cause is a mystery

      http://www.zdnet.com/blog/perlow/windows-malware-the-final-straw-that-broke-the-penguins-back/12768

      You (conveniently) forget to mention that Naraine, a zdnet blogger who works as a security consultant for Kaspersky, believed that Jason's problem was caused by Windows malware, not some sort of cross-site scripting attack or anything else.

      As someone would say: <i>"Cue the double standards"</i>
      OS Reload
      • He was phished. Plain and simple.

        @OS Reload
        The one and only, Cylon Centurion
      • He was phished. Plain and simple.

        @OS Reload

        Can happen on any platform. Plain and simple.
        The one and only, Cylon Centurion
      • The double standards are not mine

        @OS Reload
        Say a user is having a problem in OS X or Linux. Would you recommend they switch OSs without investigating what the cause of the problem is or would you "guess" at the cause and simply say [i]It might be this, maybe, so switch your OS to solve the problem that it "might" be[/i]? Sure, it [b]might[/b] have been malware but no one investigated any further. Such shoddy investigation would [b]never[/b] have been tolerated in Linux or OS X. Jason actually highlighted the problem [b]again[/b] with his MFD printer blog which he later apologized for because he didn't investigate solutions before suggesting that everyone switch away from Windows. Turns out there was actually a very easy fix, something he later admitted.

        So yes, cue the double standards... [b]your[/b] double standards...
        NonZealot
      • RE: Facebook breach: user phone numbers exposed but who's to blame?

        @OS Reload In this I have to agree with NonZealot - Windows is the usual suspect in instances like this when it could have very well been an issue with Facebook... Naraine may believe that the issue was with Windows but is he absolutely certain?
        athynz
    • RE: Your phone number will be safe if you switch from Windows

      @NonZealot Well yeah, duh! My phone number would obviously be much safer if I switch from my Dell XPS running Windows 7 to a Mac running OS X...<br><br>Seriously though this has nothing to do with Mac vs PC, iPhone vs whatever, or anything other than people being stupid by posting their phone numbers on a "lost my phone need your numbers" FB page that is OPEN...
      athynz
      • RE: Facebook breach: user phone numbers exposed but who's to blame?

        @athynz
        I don't have a FB account,never did but don't sites require/ask for a phone number to register? Does FB? I don't know. But from what i am reading FB will probably make that public too,if they don't already. -

        Here a company run by a 26 year old child,is now being investageted for securities fraud. And you people want to trust your personal information with HIM?????

        AAAAAAHAHAHAHAHHAHAHHAHAHHAHHAHAHHAHHAHAHHAHAHAHHAHAHAHAHAHHAHha.
        Stan57
      • RE: Facebook breach: user phone numbers exposed but who's to blame?

        @athynz
        Jason recently posted a blog about how he switched from Windows to Linux because of Facebook malware that he was never actually able to find. I was making fun of his deductive abilities (or lack thereof):
        http://www.zdnet.com/blog/perlow/windows-malware-the-final-straw-that-broke-the-penguins-back/12768
        [i]My FaceBook account was somehow compromised
        ...
        To this day I still have no idea what whacked me. [/i][b]Yet the title on his blog is Windows Malware: The final straw that broke the penguin's back[/b][i]
        It appears over 1.5 million FaceBook accounts have been compromised via a Russian hacker. While I can't rule out that a direct account compromise via brute force password attack rather than a Windows trojan was the culprit, I'm not going to assume up front I was part of this site-wide compromise.[/i][b]I am, however, going to assume that I wasn't part of this compromise, hence the title of my blog.[/b][i]
        ran a full Kaspersky 2010 scan - which took hours even after I did a spring cleaning and trashed all the garbage - and came up with absolutely nothing.[/i]
        NonZealot
    • I agree!

      @NonZealot
      No Linux useres were compromised.
      Linux Geek
  • RE: Facebook breach: user phone numbers exposed but who's to blame?

    Phone book breach! You can find millions of phone numbers there! Security! Security! OMG! The sky is falling (again).

    Let's get real here, folks!
    optimist134
    • RE: Facebook breach: user phone numbers exposed but who's to blame?

      @optimist134 I think they may be more concerned with unlisted phone numbers, cell phone numbers that aren't normally availably publibly without a lot of digging, etc.
      ComputerDinosaur
  • RE: Facebook breach: user phone numbers exposed but who's to blame?

    Most of the issues on facebook are caused by USERS. I see people joining public groups daily--some are obvious copyright violations and geared for spam or hoaxes. Yet several people will join them--usually the same friends that click on anything pretty and shiny. They can't be bothered to read. Can't be bothered to think. That's not facebook's problem. Who is dumb enough to post their phone number to a public group?!? Or ask your friends to post in a group?? Hello! E-Mails? FB Msgs? The people involved in this breach are the ones putting themselves out there. Most websites with wall/forum postings are ALL PUBLIC, ALL SEARCHABLE BY GOOGLE OR ANYONE ELSE. I don't know of a discussion board that isn't, so why would my discussion wall be completely private by default? Seems the least likely choice to me.
    royalef
    • RE: Facebook breach: user phone numbers exposed but who's to blame?

      @royalef

      yes, most of the issues are caused by the users... while the rest is caused by Facebook.
      magallanes
  • RE: Facebook breach: user phone numbers exposed but who's to blame?

    Here's my post on privacy vs. security on Facebook:

    http://thetubageek.blogspot.com/2010/05/tech-tuesday-conundrum-privacy-or-trust.html
    russdwright9
  • Who's to blame?

    The users for putting their phone numbers on a site like Facebook!
    What a bunch of idiots...
    wcallahan1
    • RE: Facebook breach: user phone numbers exposed but who's to blame?

      @wcallahan@...

      Im still remember the times when everybody published a fake information in your profile (for example,my former phone was 555-2501)
      magallanes
  • Facebook isn't responsible for what you post!!!

    You are! Why should Facebook protect stupid users from themselves?
    wcallahan1