The Cambridge Analytica scandal, where a right-wing data firm slipped through Facebook’s loopholes and stole millions of user profiles, has gotten the lion’s share of attention as the embattled social media site attempts to repair its reputation. But also placed in a public statement about what Facebook was doing to protect privacy was an admission that effectively, it’s closing the barn door after the barn burns to the ground. If you have a Facebook, at the very least there has been an attempt to “scrape” your data from the page. And what’s most glaring is how easy it was, and how Facebook apparently didn’t notice.
The problem, which is placed sixth in an inventory of nine items, is simple. If somebody has your phone number or email address, they can find any account tied to that phone number or email address, just by searching for it on the site:
…malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.
This sounds bad already, but it’s not until you consider the sheer potential scale of this that it becomes frightening. Almost every data breach from other websites includes the contact data of users, and plenty of corporations share that data as part and parcel of more sensitive leaks, like Grindr’s accidental revelation of its users’ HIV status. Even outside of that scenario, lists of email addresses and phone numbers are widely available; your own phone provider will gladly hand over your name and number to anybody who pays them for it.