Facebook has yet another data crisis on its hands, with a researcher recently exposing a potentially massive vulnerability that can expose user's email addresses — even if they've chosen to keep them private. This is just one of many privacy concerns that have come up with Facebook in recent months, giving the company more bad PR that it definitely doesn't need right now.
Just a few weeks ago, more than 500 million Facebook users were exposed to a data breach that revealed a myriad of personal information — including email addresses, phone numbers, names, and more. The data was stolen during a data breach back in 2019, with the information just recently being leaked onto a hacking forum on April 3, 2021. Doing things like updating passwords and enabling two-factor authentication is always helpful in these events, but once that information is out there, people are permanently at risk should someone try and do something malicious with it.
Less than a month later, Facebook is now faced with another data privacy concern. Per a report from Ars Technica, a security researcher recently demonstrated how something called 'Facebook Email Search v1.0' can be used to link Facebook accounts to the email addresses associated with them. This works regardless if a user has set their email to be public or private, with the researcher explaining that, in one test, he "spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts." While this sounds like something Facebook would want to address ASAP, the researcher claims Facebook told him that the issue wasn't "important" enough to be fixed.
Facebook Says It "Erroneously" Dismissed The Report
Why would Facebook take this approach? While it may never be known for sure, there are a couple of possibilities. It could be that the report was legitimately missed or ignored by accident, resulting in the proper teams at Facebook not seeing it. There's also the more nefarious notion that Facebook ignored the report on purpose, possibly not wanting to put itself back in the limelight for yet another data vulnerability. Regardless, it's pretty worrying that something like this was reported to the social media giant and no action was taken on it. As noted by the researcher, "I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped."
Ars Technica did reach out to Facebook to get its take on the situation, with a spokesperson from the company saying, "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." It's unclear how long it will take for this vulnerability to be patched, but at the very least, Facebook appears to be aware of what's going on and is finally doing something about it.
While data concerns with Facebook aren't anything new, it's troubling to hear about this situation and wonder what went wrong. Facebook should be doing everything in its power to protect user privacy. If a vulnerability as serious as this was exposed and ignored by the company, something isn't working with that whole process.
Source: Ars Technica