Facebook detail harvest described as not a concerning security issue, but should act as a warning on open profiles

News by Dan Raywood

A security consultant said that he collected and published the names of one fifth of Facebook's global user base as part of his work on a security tool.

A security consultant said that he collected and published the names of one fifth of Facebook's global user base as part of his work on a security tool.

Talking to BBC News, Ron Bowes said that he is a developer for the Nmap Security Scanner, and one of its recent tools is called Ncrack. He said: “It is designed to test password policies of organisations by using brute force attacks; in other words, guessing every username and password combination.”

He harvested the profile, name and unique ID of every ‘searchable' member of the site and uploaded it to BitTorrent. By downloading the data from Facebook and compiling a user's first initial and surname, he was able to make a list of the most common probable usernames to use in the tool.

He said that his original plan was to ‘collect a good list of human names that could be used for these tests' and said that once he had the data, he realised that it could be of interest to the community to release it.

Facebook said in a statement to BBC News that the information in the list was already freely available online and said that no private data was available or had been compromised.

It said: “This is the information available to enable people to find each other, which is the reason people join Facebook. If someone does not want to be found, we also offer a number of controls to enable people not to appear in search on Facebook, in search engines, or share any information with applications.”

Graham Cluley, senior technology consultant at Sophos, hit out at what he called ‘frightening' headlines, saying that the information was already available to anyone on the internet as it harvested publicly-available information from the profiles of Facebook users who had left their profiles open for anyone to view.

He said: “This wasn't really a ‘hack' as such, as the guy who collected this information didn't have to break into accounts to access the information. The personal information from users' Facebook profiles was already available to anyone because individuals' privacy settings had not been properly secured, and they had effectively left their lights on and curtains open for anyone to peek in and make a note of anything they could see.

“Today the news story is about names and URLs being scooped up - maybe tomorrow it could be more personal information that is gathered from poorly secured Facebook users.”

Bowes stated that the collection of the data was in no way irresponsible and likened it to a telephone directory. He said: “All I've done is compile public information into a nice format for statistical analysis.” However he did say that the ability to collect information on 100 million Facebook users – one fifth of its user base - highlighted a new trend that was emerging in the digital age.

He said: “With traditional paper media, it wasn't possible to compile 170 million records in a searchable format and distribute it, but now we can. Having the name of one person means nothing and having the name of a hundred people means nothing, it isn't statistically significant. But when you start scaling to 170 million, statistical data emerges that we have never seen in the past.”

Paul Vlissidis, technical director at NCC Group, said: “What this does highlight is the need for users to take some responsibility for their own privacy and ensure that their profile and personal details are suitably privatised so that they cannot be exposed.

“Issues surrounding privacy on social media sites have been widely debated, and users are aware of the risks associated when joining these sites. The problem is they don't care until something like this happens. While a high level of user privacy is not commonly the default setting for social media tools, this latest revelation should serve as a wakeup call to those who are exposing personal information online and lead them to take personal responsibility for the security of their own information.”

Richard Turner, chief executive at Clearswift, said: “Facebook is an intrinsic part of everyday life, like so many Web 2.0 tools and technologies are these days, and not only for personal use, as more and more companies are realising the potential of social networks for business benefit.

“There is a real need for users to truly understand how secure the private information that they are posting online is and what is open to being shared in this community. This actually highlights a need for more knowledge around how the web works, how data that is shared can be seen by others and if businesses are embracing this channel then they need to be leading the way on this process of education.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews