Ethical hacker publishes 100 million Facebook users' public information

Published Date
29 - Jul - 2010
| Last Updated
29 - Jul - 2010
Ethical hacker publishes 100 million Facebook users' public infor...

Apparently, 1/5th of all 500 million Facebook user accounts were hacked yesterday by a security consultant, Ron Bowes, who wanted to prove how easy it still was to access user information. Using a ‘piece of code’ to scan and copy all data not hidden by 100 million users’ privacy settings in Facebook's Directory, Mr. Bowes collected and uploaded it as a 2.79GB torrent for everyone to see. In other words, he managed to make public what was already public, and make it available in an indexed format. This does not seem very scary, but more on that later... For now, what does it contain?

  • User Profile URL
  • Usernames (unique and by count)
  • Processed lists (of first names with count, last names with count, usernames with count, and more)
  • Programs (used by Mr. Bowes generate the lists)

Not very philanthropic, Bowes isn’t just showing how vulnerable Facebook is to such hacking, but is also taking things one step further by providing other, not so experienced hackers the perfect opportunity to use the data he has provided, which is ideal for many hacking techniques, including post-processing and datamining. Facebook is apparently not too concerned however, claiming the information that Bowes has stolen is actually readily available anyway, and that no private data has been compromised, nothing that was kept in the ‘Friends only’.

While Facebook’s apparent lack of concern is certainly a bit comforting, the entire fiasco does raise the question: information you share with ‘Everyone’ on Facebook is an open invitation for a hacker to use and abuse it, and it is especially easy to locate if you are searchable by Everyone. It therefore serves as a warning to set your default search setting to Friends Only, which is a step backwards in the whole 'social networking/finding long lost friends/I now trust Facebook' direction, a move that convincingly persuades you to opt-out.

Bowes has in other words, succeeded in proving one of Facebook’s security claims wrong – Facebook user profiles cannot be indexed. Not only has Bowes made a whole bunch of indexed lists (by Unique ID and count), but he also went on to say: “So far, I have only indexed the searchable users, not their friends … I’d like to tackle that in the future.”

Abhinav LalAbhinav Lal