A security consultant said that he collected and published the names of one fifth of Facebook’s global user base as part of his work on a security tool.
In a radio interview, Ron Bowes said that he is a developer for the Nmap Security Scanner, and one of its recent tools is called Ncrack. He said: “It is designed to test password policies of organizations by using brute force attacks; in other words, guessing every username and password combination.”
He harvested the profile, name and unique ID of every ‘searchable’ member of the site and uploaded it to BitTorrent. By downloading the data from Facebook and compiling a user’s first initial and surname, he was able to make a list of the most common probable usernames to use in the tool.
While he said that his original plan was to “collect a good list of human names that could be used for these tests,” once he had the data, he realized that it could be of interest to the community.
Facebook said in a statement that the information in the list was already freely available online and said that no private data was available or had been compromised.
“This is the information available to enable people to find each other, which is the reason people join Facebook,” the social networking site said in a statement. “If someone does not want to be found, we also offer a number of controls to enable people not to appear in search on Facebook, in search engines, or share any information with applications.”
Graham Cluley, senior technology consultant at Sophos, agreed that the information was already available to anyone on the internet as it harvested publicly available information from the profiles of Facebook users who had left their profiles open for anyone to view.
“This wasn’t really a ‘hack’ as such, as the guy who collected this information didn’t have to break into accounts to access the information,” Cluley said. “The personal information from users’ Facebook profiles was already available to anyone because individuals’ privacy settings had not been properly secured, and they had effectively left their lights on and curtains open for anyone to peek in and make a note of anything they could see. Today the news story is about names and URLs being scooped up. Maybe tomorrow it could be more personal information that is gathered from poorly secured Facebook users.”
Bowes said his collection of the data was in no way irresponsible and likened it to a telephone directory. “All I’ve done is compile public information into a nice format for statistical analysis,” he said. However, he added that the ability to collect information on 100 million Facebook users – one fifth of its user base – highlighted a new trend that was emerging in the digital age.
“With traditional paper media, it wasn’t possible to compile 170 million records in a searchable format and distribute it, but now we can,” Bowes said. “Having the name of one person means nothing and having the name of a hundred people means nothing. It isn’t statistically significant. But when you start scaling to 170 million, statistical data emerges that we have never seen in the past.”
Although the event is not criminal, it highlights the need for users to take some responsibility for their own privacy and ensure that their profile and personal details are suitably privatized so that they cannot be exposed, said Paul Vlissidis, technical director at NCC Group.
“Issues surrounding privacy on social media sites have been widely debated, and users are aware of the risks associated when joining these sites,” Vlissidis said. “The problem is they don’t care until something like this happens. While a high level of user privacy is not commonly the default setting for social media tools, this latest revelation should serve as a wakeup call to those who are exposing personal information online and lead them to take personal responsibility for the security of their own information.”