Facebook Admits Most Of Its 2B Users Had Their Public Profiles Scraped Without Permission

Another data issue for Facebook: The company announced that “malicious actors” were able to use search tools to discover the identities and collect information on most of its 2 billion users worldwide.

The news came on the same day that the social media site admitted that data improperly shared with Cambridge Analytica could be much higher than the originally estimated 50 million users. In fact, Facebook now says that up to 87 million users may have had their data shared with the research firm.

According to The Washington Post, the abuse of Facebook’s search tools, which are now disabled, happened on a broader scale and over several years. Even worse: few Facebook users were probably able to avoid the scam, company officials stated.

The company explained that malicious hackers harvested email addresses and phone numbers on the “Dark Web,” where criminals post stolen information. This type of personal information is a key part of identity theft and other malicious online activity.

In Facebook’s case, hackers used automated computer programs to feed the information into Facebook’s “search” box, allowing them to find the full names of people affiliated with the phone numbers or addresses, along with any Facebook profile information they made public.

“We built this feature, and it’s very useful. There were a lot of people using it up until we shut it down today,” Chief Executive Mark Zuckerberg said in a call with reporters.

While Facebook users could have blocked the search function, research shows that online users rarely change default privacy settings. They also often do not understand exactly what information they are sharing.

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped,” the company stated.

Hackers also took advantage of Facebook’s account recovery function, pretending to be legitimate users who had forgotten account details. As a result, the system served up names, profile pictures and links to the public profiles. This is a tool that can also be blocked in privacy settings.

Facebook didn’t disclose who the malicious actors are, how the data might have been used, or exactly how many people were affected.