Facebook Offers More Hack Details, Exposes Web Scraping

Facebook downgraded the number of users hacked two weeks ago to 30 million, revealing that the personal information stolen was more substantial for 14 million of the those hacked, including gender, religion, telephone number, email addresses and computing devices used to connect to Facebook. Hackers also captured the last 15 people or things the user had searched for on Facebook and the last 10 physical locations he had checked into. Another 15 million profiles were scraped for names and contact information.

The New York Times reports that the hack is “probably the most substantial breach of its network in the company’s 14-year history,” and included the security tokens of an additional one million people. Hackers, however, did not “gain access to account passwords or credit card information.” Vice president of product management Guy Rosen said the company is working with the FBI in investigating the breach, which was fixed two weeks ago, “around the clock.”

Security professionals are concerned about the details stolen. “Hackers have some sort of a goal,” said Area 1 Security chief executive Oren Falkowitz, a former National Security Agency official. “It’s not that their motivation is to attack Facebook, but to use Facebook as a lily pad to conduct other attacks.” He added that, “once you’ve become a target, it never ends.”

Facebook, still dealing with the consequences of the Cambridge Analytica scandal, last week “removed hundreds of accounts and pages used to spread disinformation in the United States.” Meanwhile, disinformation in places such as Myanmar and Sri Lanka have resulted in hundreds of murders. WhatsApp co-founder Brian Acton has “called for people to delete their Facebook accounts.”

Elsewhere, NYT reports that Facebook “removed 66 accounts, pages and apps linked to Russian firms that build facial recognition software for the Russian government” including “any accounts associated with SocialDataHub and its sister firm, Fubutech, because the companies violated its policies by scraping data from the social network.”

“Facebook has reason to believe your work for the government has included matching photos from individuals’ personal social media accounts in order to identify them,” stated Facebook’s cease-and-desist letter to SocialDataHub.

Both companies have been on Facebook for “at least four years,” and relied on Facebook data to build products, by “web scraping,” a technique in which computer programmers pull information off a website. Facebook said the technique is “difficult to detect and prevent.” According to SocialDataHub and Fubutech chief executive Artur Khachuyan, the latter does build facial-recognition software for the Russian government, but scrapes Google search results, not Facebook’s. He stated his companies have “complied with Facebook policies.”

As it searches, Facebook “is finding more examples of companies that have been exploiting its global social network for questionable ends” and is forced to examine its relationships with third-party apps that have access to personal data. Facebook said it is “reviewing its data sharing policy with apps,” and has already suspended 200 of them.