Hackers are using a software called Facebook Email Search v1.0 to uncover millions of Facebook users’ email addresses, even if the addresses are set to private. This user data, paired with the 533 million phone numbers leaked from Facebook just a few weeks ago, may help hackers break into accounts or build a database of Facebook users’ private info.
Facebook Email Search v1.0 exploits a front-end vulnerability in Facebook’s website. It automatically links user IDs to their associated email address, allowing a single hacker to secure about 5 million email addresses per day. Facebook says that it patched a nearly identical vulnerability earlier this year, though the problem clearly remains unfixed.
In a conversation with Ars Technica, an unnamed researcher claims that he demonstrated the exploit to Facebook, but that the social media giant chose to ignore the issue. Facebook told the researcher that it “does not consider [the vulnerability] to be important enough to be patched,” despite the fact that it’s a clear security risk and a violation of users’ privacy.
Ready for a double-whammy? Facebook not only ignored the vulnerability, but is actively encouraging its PR representatives to downplay and normalize data breaches. An internal Facebook email accidentally sent to journalists at Data News after the the April 5th phone number leak states the following:
LONG-TERM STRATEGY: Assuming press volume continues to decline, we’re not planning additional statements on this issue. Longer term, though, we expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact that this actively happens regularly. To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we’re doing in this area. While this may reflect a significant volume of scraping activity, we hope this will help to normalize the fact that this activity is ongoing and avoid criticism that we aren’t being transparent about particular incidents.
Hundreds of millions of Facebook users have had their private information compromised this month due to two separate website vulnerabilities. And in the face of this “significant volume of scraping activity,” Facebook hopes to normalize leaks and admits that data dumps are “ongoing.” For a website that’s obsessed with gathering user data, Facebook’s negligence is a major red flag.
Facebook now states that it “erroneously closed out this bug bounty report before routing to the appropriate team,” and that it is currently investigating the problem. It isn’t clear when the company will actually patch this vulnerability or how many accounts have been affected. The current impact of the leaked user data is also unknown.