A hacker has exploited Facebook’s Graph Search to collect a database of thousands of Facebook users and phone numbers. Both parties agree that all the information was left public by users, but Facebook issued him with a cease and desist order after the hacker continued to gather data and argued with Facebook that the availability of the information invades users’ privacy.
The Hacker responsible is Brandon Copley, a mobile developer in Dallas, Texas, USA. He searched and downloaded 2.5 million entries of phone numbers from the social networking site. He says many of these entries are empty, as they either are not active numbers or are not connected to a Facebook user with public settings, however, he notes that thousands of entries match a phone number with the name of a Facebook user. Facebook representatives tell us that this is a feature of graph search and that these users have their contact information set to public. (Your privacy settings govern who can find you with the search using the contact info you have provided, such as your phone number or email address. This can be modified at any time from the Privacy Settings page) Copley confirms that these users have their contact information set to public, but argues that this is still a security issue.
Facebook admitted to a major security flaw regarding the Download Your Information tool on Friday afternoon that displayed the email and phone numbers of approximately 6 million users. Copley says he used his access tokens from his developer account and the Facebook Search API to perform thousands of searches per day for phone numbers; when he began hitting up against the rate limit of his developer account, he found a way to use the API token of an app that is not rate-limited and performed millions of searches.
In March and early April, Copley’s Facebook account was banned several times. Copley also says he has also been looking at other ways to search Facebook for phone numbers and now believes he has found an even faster way to connect Facebook users and phone numbers than through the search API. On April 26, Facebook’s lawyers sent Copley a cease-and-desist letter, stating, “you are unlawfully acquiring Facebook user data. It appears that you are accessing Facebook through automated means and stealing Facebook access tokens in order to scrape data from Facebook’s site without permission.” At this point in time, it is unclear if Facebook will actually pursue litigation against Copley. He appears to be a tenacious man, pressing Facebook on privacy issues and showing Facebook’s users how widely accessible their public contact information really is.
[Image via Facebook]