Facebook 533m Newmanwired: Facebook says that the 533 million records leaked in the recent breach were not taken through a hack, but rather through abuse of a Facebook contact importing feature.
The company announced on Friday that attackers had exploited a vulnerability to gain access to tens of millions of Facebook users’ personal data, including phone number and email address, along with home town and current city. But rather than hacking into systems or stealing credentials, the attack was made possible by “a functionality built to connect people with their Facebook friends.”
Explaining how the vulnerability was exploited, the company said that it had detected a series of calls that were made to an API, starting on September 16. The hackers appear to have created automated bots with the intention of scraping the Facebook users’ data, which would represent a security breach (and one that would be far more serious than an abuse of a contact importer feature).
But Facebook stopped short of calling this data leak a security breach. In a statement, the company said that it took “significant steps” to protect the data and that, “while we are still investigating this incident, we believe most people on Facebook will not have been impacted.”
The full set of 533 million user records was first spotted by cyber security firm UpGuard’s Jaime Levy in early October. UpGuard said that they found the data easily on a free website that offers an API to make bulk requests of Facebook data.
Facebook said that the data “appears to have been collected from people who chose to sign up to a quiz app on Facebook called ‘This is Your Digital Life’.” The company says that around 270,000 people downloaded the app and “many of them” gave permission for the app to access their information.
According to Facebook, this vulnerability was fixed soon after it was reported at the end of September.