{"id":13325,"date":"2019-05-20T19:11:13","date_gmt":"2019-05-20T15:11:13","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/facebook-10-fails\/13325\/"},"modified":"2019-11-15T15:22:18","modified_gmt":"2019-11-15T11:22:18","slug":"facebook-10-fails","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/facebook-10-fails\/13325\/","title":{"rendered":"Top 10 epic Facebook fails"},"content":{"rendered":"<p>This May, Mark Zuckerberg celebrated his 35th birthday. Congratulations! Zuckerberg did not make it to this milestone quietly, however. Instead, he faces a federal investigation <a href=\"https:\/\/www.washingtonpost.com\/technology\/2019\/04\/19\/federal-investigation-facebook-could-hold-mark-zuckerberg-accountable-privacy-sources-say\/?utm_term=.cf91a4d9afcc\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">looking<\/a> at ways to hold him personally accountable for mismanaging users\u2019 private data while Facebook-related scandals keep making headlines. In this post we have compiled Facebook\u2019s 10 most prominent fails involving data misuse.<\/p>\n<h2>1. Cambridge Analytica: How it all began<\/h2>\n<p>It all started with the Cambridge Analytica scandal. Back in early 2018 we all learned for the first time with 100% certainty that the data and opinions we share across Facebook can be used by a third party without our consent. Cambridge Analytica\u2019s harvesting of the data of 50 million Facebook users and its use of that data for political advertising shook the world, but it was only the beginning. To review those events, you can read <a href=\"https:\/\/www.kaspersky.com\/blog\/delete-facebook\/21772\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">this post<\/a>.<\/p>\n<h2>2. Facebook tokens stolen<\/h2>\n<p>Half a year later, <a href=\"https:\/\/www.kaspersky.com\/blog\/facebook-token-breach\/24052\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">another scandal caught up with Facebook<\/a>: Hijackers were able to exploit several vulnerabilities in Facebook and steal the access tokens (which are basically an equivalent of digital keys that keep people logged in) of millions of Facebook users.<\/p>\n<p>In total, 30 million users had their tokens stolen. For\u00a015 million, malefactors accessed\u00a0their names and contact details. In 14 million cases, the attackers were able to see more detailed info and the users\u2019 Facebook activities. For\u00a0the remaining 1 million, the hijackers did not access any information. That was when Facebook users learned that Facebook is not impregnable and that their accounts could be stolen en masse without them doing anything wrong.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-privacy\">\n<h2>3. Facebook and Instagram passwords exposed<\/h2>\n<p>If 30 million wasn\u2019t enough, another incident came along involving hundreds of millions of Facebook and Instagram users. In early 2019, Facebook made us aware that its internal processes related to user data security are far from perfect. The company admitted it <a href=\"https:\/\/newsroom.fb.com\/news\/2019\/03\/keeping-passwords-secure\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">was storing<\/a> part of the passwords for Facebook and Instagram accounts in plain text. They insisted these passwords were visible to employees only and that no one abused their access permissions.<\/p>\n<p>At this point, the exact number of affected users has not been disclosed. First, the company commented that the problem involved hundreds of millions of Facebook Lite users, tens of millions of regular Facebook users, and tens of thousands of Instagram users. One month later, it amended its comment to say the issue (now patched) affected not tens of thousands, but millions of Instagram users.<\/p>\n<h2>4. Instagram passwords exposed again<\/h2>\n<p>Actually, that was not the first time Instagram users learned they could\u2019ve had their passwords leaked. Several months earlier, Instagram\u2019s \u201cDownload Your Data\u201d feature was discovered to contain <a href=\"https:\/\/www.theverge.com\/2018\/11\/17\/18100235\/instagram-security-bug-exposed-user-passwords-data-download-tool\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">a security flaw<\/a> (now patched) that could have inadvertently exposed some Instagram passwords. If someone submitted their login information to use the feature, their password was included in a URL in their Web browsers and \u2014 again \u2014 stored on Facebook\u2019s servers in plain text.<\/p>\n<h2>5. Facebook requested e-mail passwords and scraped contacts<\/h2>\n<p>Facebook scraped the e-mail contacts of 1.5 million users without their consent. Wait, it\u2019s actually a bit more complicated than that. Here\u2019s the story: Facebook was <a href=\"https:\/\/twitter.com\/originalesushi\/status\/1112496649891430401\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">asking<\/a> a subset of newcomers to verify their identities by providing passwords to their e-mail accounts. When the news broke, many thought it was an April Fool\u2019s joke; no savvy Internet surfer could even imagine granting a third party access to their e-mail communications. Unfortunately, it was not a joke. And many fell for it.<\/p>\n<p>Facebook <a href=\"https:\/\/www.businessinsider.com\/facebook-uploaded-1-5-million-users-email-contacts-without-permission-2019-4\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">insisted<\/a> it didn\u2019t access the contents of the users\u2019 e-mails, just \u2014 unintentionally \u2014 scooped up their e-mail contacts. In total, the address books of 1.5 million users have been harvested. But given that people\u2019s contact lists may have hundreds of contacts, the final number of those whose contact details were obtained this way may well be in the tens of millions. The company says it used the data to improve ad targeting, build Facebook\u2019s web of social connections, and recommend new friends to users.<\/p>\n<h2>6. 2FA with Facebook, a tool for advertisers<\/h2>\n<p>Of course, we all want to keep our accounts safe, and two-factor authentication seems like an ideal way to do that. But even here, potential issues arise. For example, the phone number you provide when enabling two-factor authentication for your Facebook account will be automatically associated with your profile \u2014 without an opt-out option. As a result, anyone, regardless of whether they even have an account, can <a href=\"https:\/\/techcrunch.com\/2019\/03\/03\/facebook-phone-number-look-up\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">look up<\/a> your user profile based on this phone number. Bonus: Facebook <a href=\"https:\/\/www.facebook.com\/notes\/facebook-security\/fixing-sms-notifications-for-those-using-two-factor-authentication\/10155124741945766\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">might also target<\/a> the number with ads.<\/p>\n<h2>7. Your contacts are never safe from advertisers<\/h2>\n<p>As we mentioned tangentially above, Facebook and Instagram <a href=\"https:\/\/gizmodo.com\/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">were giving<\/a> advertisers access to contact information that users hadn\u2019t even stored on Facebook! In other words, advertisers were (and, probably, still are) targeting us relying not only on the e-mail addresses and phone numbers we indicate on our \u201ccontact and basic info\u201d page, but also on other data.<\/p>\n<p>This data can include the phone number (if any) you put in for 2FA purposes and the junk e-mail addresses you hand over for discounts or for furtive online shopping. Also, if any of your contacts chooses to share (\u201csynchronize\u201d) <em>their<\/em> contacts with Facebook or uploads their address book to Facebook \u2014 to \u201cfind friends\u201d \u2014 and their contact list includes a phone number of yours, even if you never entered that information anywhere on Facebook, advertisers will be able to target you with an ad using that phone number.<\/p>\n<h2>8. More Facebook data shared with advertisers<\/h2>\n<p>Facebook <a href=\"https:\/\/www.nbcnews.com\/tech\/social-media\/mark-zuckerberg-leveraged-facebook-user-data-fight-rivals-help-friends-n994706\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">was tapping<\/a> users\u2019 data as leverage over companies it partnered with, leaked internal documents showed. For example, Amazon.com, which was spending significant sums on Facebook advertising, <a href=\"https:\/\/www.nytimes.com\/2018\/12\/18\/technology\/facebook-privacy.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">could obtain<\/a> users\u2019 names and e-mail addresses through their friends (as could Sony, Microsoft and many others).<\/p>\n<p>Microsoft\u2019s Bing search engine was allowed to see the names of virtually all of our Facebook friends without our (or their) consent. Netflix, Spotify, and the Royal Bank of Canada were given privileges to read, write, and delete our private messages, and to see all of the participants on a thread. Apple devices had access to the contact numbers and calendar entries even of people who had changed their account settings to disable all sharing.<\/p>\n<p><strong>The companies involved stated they never misused the data they accessed, and some said they didn\u2019t even know they had such \u201cextended\u201d rights.<\/strong><\/p>\n<h2>9. Facebook Marketplace leaked sellers\u2019 exact locations<\/h2>\n<p>A flaw (<a href=\"https:\/\/www.databreachtoday.com\/facebook-marketplace-flaw-revealed-sellers-exact-location-a-12402\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">now patched<\/a>) in Facebook\u2019s digital marketplace was exposing sellers\u2019 exact locations (precise latitude and longitude coordinates), and by extension, their goods. To see the location, it wasn\u2019t even necessary to log in to Facebook, leading some researchers to call the service \u201ca shopping list for thieves.\u201d That was especially worrying for those who were selling expensive bicycles, because those are a tasty morsel for criminals, and Marketplace was basically giving those bikes away to them by exposing the sellers\u2019 location.<\/p>\n<h2><strong>10. Facebook data exposed \u2014 by a third party<\/strong><\/h2>\n<p>Two databases containing Facebook users\u2019 information <a href=\"https:\/\/techcrunch.com\/2019\/04\/03\/facebook-records-exposed-server\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">were found<\/a> on the open Web, storing the data in plain text, allowing absolutely anyone to access and download it. One set of data came from a Facebook game application called \u201cAt the Pool,\u201d which fell into disuse a long time ago. The second one, containing more than 540 million records, belonged to Cultura Colectiva, a Mexican media company operating throughout Latin America. Both exposed databases included the names and e-mail addresses of users, their friends\u2019 lists, likes, comments, and all kinds of details that serve as means to analyze preferences and interests.<\/p>\n<p>Although the information was not particularly sensitive, and Facebook\u2019s own staff had nothing to do with the exposure, it still raised (again) questions of how Facebook is sharing users\u2019 data with third parties, and echoed the Cambridge Analytica scandal that kicked off this post.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-cyberattacks\">\n<p>If after reading this post you feel you\u2019ve had enough of Facebook\u2019s shenanigans, you can find <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-delete-facebook\/25536\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">instructions on\u00a0how to delete your Facebook account<\/a> on our blog. Of course, that decision is purely up to you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>10 Facebook mistakes that threatened users\u2019 security and privacy.<\/p>\n","protected":false},"author":2508,"featured_media":13326,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1225],"tags":[20,2098,2099,43],"class_list":{"0":"post-13325","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"tag-facebook","9":"tag-fails","10":"tag-mistakes","11":"tag-privacy"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/facebook-10-fails\/13325\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/facebook-10-fails\/15797\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/facebook-10-fails\/17708\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/facebook-10-fails\/15853\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/facebook-10-fails\/14599\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/facebook-10-fails\/18475\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/facebook-10-fails\/17352\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/facebook-10-fails\/6058\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/facebook-10-fails\/26980\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/facebook-10-fails\/11760\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/facebook-10-fails\/11856\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/facebook-10-fails\/10767\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/facebook-10-fails\/19284\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/facebook-10-fails\/23269\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/facebook-10-fails\/22633\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/facebook-10-fails\/22583\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/facebook\/","name":"Facebook"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2508"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=13325"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13325\/revisions"}],"predecessor-version":[{"id":14432,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13325\/revisions\/14432"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/13326"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=13325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=13325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=13325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}