100 million Facebook pages leaked on torrent site

Image: Screen capture of Facebook directory download

A directory containing personal details about more than 100 million Facebook users has surfaced on an Internet file-sharing site.

The most dramatic “data theft” to hit social networks in quite a while isn’t a theft at all.
Facebook users were hit with another frightening reminder on Thursday that not everyone online is their friend, as over 100 million personal profiles and details from the service were scraped from Facebook’s pages and published on the Web.
But Facebook wasn’t hacked. Far from it. And if users had personal details exposed, they have no one but themselves to blame.
A program written by Ron Bowes, a security consultant at Skull Security, scanned all the listings in Facebook’s open-access directory and then compiled a text file that lists the information he uncovered. That data potentially exposes some Facebook users’ birthdays, addresses, phone numbers and more — but only because they chose not to keep those details private.
“All I’ve done is compile public information into a nice format for statistical analysis,” Bowes told the BBC. He explained that he had simply accessed the same information that’s available to search engines like Google, Bing and Yahoo — or the countless white-pages services available online.
But the stunt should make those 100 million Facebook users reconsider what personal information they make available online.
Going public with your birthday and address exposes you to the very real threat of identity theft and fraud — not to mention stalking and other unwelcome advances. Hackers typically troll for such information to open credit cards under aliases, or they use the names they find in other online scams.
And it’s hardly unreasonable to presume that some of the thousands of people who have downloaded Bowes’ file since it hit the Internet have criminal intentions.
Facebook is putting a straight face on the story. Company spokesman Andrew Noyes told FoxNews.com that the “information that people have agreed to make public was collected by a single researcher … no private data is available or has been compromised.”
As Facebook leaves it up to its users to decide how much personal information they want to reveal to the public, people who want to keep some things to themselves are encouraged to take a few specific steps.
To be removed from the open access directory that Bowes scanned, users should select “Privacy Settings” under the “Account” heading on the Facebook screen, then edit the “Public Search” option to uncheck the “Enable public search” box.
Then they should go back to the privacy settings and select “Custom” to specify what information (photos, comments, and so on) they want to share, and with whom.
If your profile was set to be searchable by everyone, chances are you’re in Bowes file, and there’s nothing you can do about that now.
Facebook users should also be aware that after they have changed their privacy settings, their old profile pages may still be publicly available because they are often stored (or cached) by search engines.
Ultimately, this latest incident is just another reminder of the basic reality of modern cyber security:
Whatever it is . . . if you wouldn’t put it on a billboard in Times Square, don’t post it on the Web.

The most dramatic “data theft” to hit social networks in quite a while isn’t a theft at all.
Facebook users were hit with another frightening reminder on Thursday that not everyone online is their friend, as over 100 million personal profiles and details from the service were scraped from Facebook’s pages and published on the Web.
But Facebook wasn’t hacked. Far from it. And if users had personal details exposed, they have no one but themselves to blame.
A program written by Ron Bowes, a security consultant at Skull Security, scanned all the listings in Facebook’s open-access directory and then compiled a text file that lists the information he uncovered. That data potentially exposes some Facebook users’ birthdays, addresses, phone numbers and more — but only because they chose not to keep those details private.
“All I’ve done is compile public information into a nice format for statistical analysis,” Bowes told the BBC. He explained that he had simply accessed the same information that’s available to search engines like Google, Bing and Yahoo — or the countless white-pages services available online.
But the stunt should make those 100 million Facebook users reconsider what personal information they make available online.
Going public with your birthday and address exposes you to the very real threat of identity theft and fraud — not to mention stalking and other unwelcome advances. Hackers typically troll for such information to open credit cards under aliases, or they use the names they find in other online scams.
And it’s hardly unreasonable to presume that some of the thousands of people who have downloaded Bowes’ file since it hit the Internet have criminal intentions.
Facebook is putting a straight face on the story. Company spokesman Andrew Noyes told FoxNews.com that the “information that people have agreed to make public was collected by a single researcher … no private data is available or has been compromised.”
As Facebook leaves it up to its users to decide how much personal information they want to reveal to the public, people who want to keep some things to themselves are encouraged to take a few specific steps.
To be removed from the open access directory that Bowes scanned, users should select “Privacy Settings” under the “Account” heading on the Facebook screen, then edit the “Public Search” option to uncheck the “Enable public search” box.
Then they should go back to the privacy settings and select “Custom” to specify what information (photos, comments, and so on) they want to share, and with whom.
If your profile was set to be searchable by everyone, chances are you’re in Bowes file, and there’s nothing you can do about that now.
Facebook users should also be aware that after they have changed their privacy settings, their old profile pages may still be publicly available because they are often stored (or cached) by search engines.
Ultimately, this latest incident is just another reminder of the basic reality of modern cyber security:
Whatever it is . . . if you wouldn’t put it on a billboard in Times Square, don’t post it on the Web.

The 2.8GB torrent was compiled by hacker Ron Bowes of Skull Security, who created a web crawler program that harvested data on users contained in Facebook’s open access directory, which lists all users who haven’t bothered to change their privacy settings to make their pages unavailable to search engines.

Bowes’ directory contains 171 million entries, relating to more than 100 million individual users – more than one in five of Facebook’s recently trumpeted half billion user base.

The file contains user account names and a URL for each user’s profile page, from which details such as addresses, dates of birth or phone numbers can be accessed. Accessing a user’s page from the list will also enable you to click through to friends’ profiles – even if those friends have made themselves non-searchable.

There’s absolutely nothing illegal about what Bowes has done – the information is, after all, publicly available – but perhaps the existence of a stalker’s online black book might finally persuade less security-minded Facebook users to get their arses in gear.

http://www.skullsecurity.org/Resume-20100621.pdf

http://www.skullsecurity.org/blog/