Key takeaways

  • Software engineer detects Facebook glitch that compromises users’ profile data
  • Loophole sparks fresh cyber security concerns for the social media giant
  • Rising cyber crime rates highlights the importance of online security

Facebook is facing mounting pressure to reign in its privacy settings and improve its cyber security after a software engineer was able to harvest data from users who had revealed their mobile numbers online. According to an August 2015 report in The Guardian, a software engineer named Reza Moaiandin accessed the names, profile pictures and locations of users who had linked their mobile numbers to their Facebook account – even though users had opted to make this private.

Moaiandin exploited an obscure privacy setting called Who can find me? which enables anyone to find a Facebook user by entering their mobile number into the social network. He used a simple algorithm to generate thousands of mobile numbers, sent these to Facebook’s application programming interface (API) and received realms of information on users’ profiles in a matter of minutes.

Although this glitch compromises publicly available information, cyber security experts believe that it allows hackers to create large databases of Facebook users and resell them on the black market. “If Facebook cares about its community, it should perhaps do more to lead them in the right direction – perhaps ensuring that users have to choose whether they want to make their phone numbers publicly accessible, rather than that being a default,” computer security analyst Graham Cluley told The Guardian. In the same article, Moaiandin said that the loophole is akin to walking into a bank, asking for a few thousand customers’ personal information based on their account number, and the bank telling you: ‘Here are their customer details.”

Facebook has been subject to a series of data breaches over the last few years. In 2013, the social media behemoth accidentally exposed 6 million users’ phone numbers and email addresses to the public, thanks to a technical glitch in the archive of contact data it collects from 1.1 billion users around the world. And in March 2015, security researcher Laxman Muthiyah unearthed a serious vulnerability in the Facebook Photo Sync feature, which made synced private photos that were not published on Facebook available for public view.

The fact that online crime has escalated over the last few years has strengthened the imperative for robust cyber security and privacy measures as well as firm regulations around data breaches. In June 2015, the Information Security Breaches Survey, a joint report between the UK Government and PwC, discovered that 90 % of large organisations suffered a security breach last year – up from 81% just twelve months ago. The report also found that only 63 % of respondents invest or plan to invest in threat intelligence – a worrying outcome in light of findings that 75 percent of large organisations had faced an external attack from a cyber criminal in the past year.

Although Facebook maintains that it has firm rules in place when it comes to dictating how developers can use its API, the loophole has seen the social media giant reassert how important it is for users to educate themselves about its privacy settings – as well as the risks of sharing data online. “Everyone who uses Facebook has control of the information they share, this includes the information people include within their profile, and who can see this information. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and who they share it with,” a Facebook spokesperson told The Guardian. What cyber security measures has your business introduced to minimise data breaches on social media?



Steve Ingram

Steve Ingram is the leader of PwC Australia’s Cyber practice.

More About Steve Ingram