Skip to content

Facebook Had Years to Fix Flaw That Leaked 500M Users’ Data

The profile names, email addresses, and phone numbers of over 500 million Facebook users have been circulating publicly online for nearly a week. It took days for Facebook to finally acknowledge the root cause, an issue the company says it fixed in 2019. But now researchers are saying Facebook knew about similar vulnerabilities for years before that, and it could have made a far greater effort to prevent the mass scraping in the first place.

At issue is Facebook’s “content importer,” a feature that combs a user’s address book to find people they know who also use Facebook. Many social networks and communication apps offer some version of this as a sort of social lubricant. But Facebook’s contact import tool in particular has had a number of known problems, and supposed fixes, over the years.

“I’m sure other companies are sweating as well now. It’s not just Facebook,” says Inti De Ceukelaire, a Belgian security researcher who reported a vulnerability in Facebook’s contact import feature to the company in 2017. “But it’s a recurring theme for Facebook that whenever growth is at stake, they will think twice about fixing something to benefit the user’s privacy.”

De Ceukelaire and other researchers had already alerted Facebook to similar issues. In 2012, Facebook made changes that resulted in the site’s “Download Your Information” tool leaking phone numbers and email addresses that users had not supplied themselves through the contact import feature. A researcher disclosed the issue to Facebook in 2013; in 2018, the Office of the Privacy Commissioner of Canada and the Office of the Data Protection Commissioner of Ireland investigated the finding.

“Our Office finds that FB did not have appropriate safeguards in place prior to the breach in order to protect the personal information of users and non-users,” the investigation found.

That incident differs from the more recent Facebook controversy, in which attackers were able to “scrape” Facebook by enumerating batches of possible phone numbers from more than 100 countries, submitting them to the contact import tool, and manipulating it to return the names, Facebook IDs, and other data users had posted on their profiles. Still, the lapse spoke to the potential for the contact import tool to access sensitive data and the need to look carefully for bugs and inadvertent behavior in the feature.

De Ceukelaire’s 2017 research relates much more directly to the methods the attackers used to scrape the recent, massive data set. “I discovered it is relatively simple to reveal private phone numbers on Facebook, uncovering some phone numbers of Belgian celebs and politicians,” De Ceukelaire wrote in February 2017. “Even though this trick only seems to work in small countries such as Belgium (+/- 11.2 million people), a significant number of people is affected by this simple, yet effective privacy leak.”

De Ceukelaire had found a manual and somewhat limited, but still effective, way to enumerate phone numbers and extract their corresponding user information from Facebook through the contact import feature. He submitted the findings to Facebook’s bug bounty program, but in communications reviewed by WIRED, the company said that the issue didn’t qualify for a payout.

The researcher had raised two crucial points, though. First, attackers might well look for more powerful and efficient ways of abusing the contact import feature through phone number enumeration attacks. Facebook told De Ceukelaire at the time that it might revise its rate limits—the maximum numbers of submissions one can make—for the contact import feature, but that it did not view the issue as a vulnerability. De Ceukelaire further flagged that users might not understand that the privacy controls they set for information on their Facebook profile could be undermined by another Facebook privacy setting known as “Who can look me up.” 

Facebook lets you set your phone number and email address as visible to “Only me.” But it also has an entirely separate setting, called “Who can look me up,” that dictates whether someone can find you on Facebook using your phone number or email address through the contact import tool. Even if your phone number is set to “Only me” on your profile, it could still be set to “Everyone” under “Who can look me up.” In that case, if someone guessed your phone number they would be able to link it to your other public Facebook information.