Facebook says bug may have briefly exposed photos of 6.8 million app users

Posted:
in General Discussion
Between Sept. 13 and Sept. 25, a bug temporarily exposed more photos than intended to third-party apps that use Facebook logins, the social network acknowledged on Friday.

Facebook's headquarters roadsign
Facebook's headquarters roadsign


As many as 6.8 million people and 1,500 apps may have been impacted, Facebook said. Some of the leaked photos came not just from regular posts, but ones in Stories or that were uploaded but never shared.

Facebook discovered the problem on Sept. 25, the company told TechCrunch. It didn't say why it waited until now to reveal the issue, but late September also saw Facebook dealing with a security breach affecting nearly 50 million people, potentially letting hackers hijack profiles.

Anyone subject to the photo issue should receive a notification from Facebook, which is further promising to work with app developers to delete any photos they weren't supposed to have.

The latest developments only compound Facebook's problems during 2018, led by the Cambridge Analytica scandal. Analytica and Cambridge University researcher Aleksandr Kogan used a quiz app to collect data on Facebook users and their connected friends, the latter without consent, enabling Analytica to build voter profiles for some 71 million Americans and a smaller amount of people overseas. Facebook discovered the data harvesting in 2015, but only made it public in March 2018. This drew the scrutiny of governments in the U.S. and U.K.

Some clients of Cambridge Analytica -- now defunct -- included the Presidential campaigns for Donald Trump and Ted Cruz, and the Institutional Revolutionary Party during Mexico's 2018 general election.

Comments

  • Reply 1 of 19
    Another good reason I deleted my account.
    watto_cobra
  • Reply 2 of 19
    mwhitemwhite Posts: 175member
    No Facebook here I had one for about 5 hours hated it and deleted it.
    watto_cobra
  • Reply 3 of 19
    eriamjheriamjh Posts: 1,099member
    I use FB, but it doesn’t use me.  

    95% of my feed is two groups I follow.  Everything and everyone else is unfollowed or blocked.  Even family.  

    However, I use safari, not an app.  Am I safe?  Or am I screwed? 
    edited December 2018 watto_cobra
  • Reply 4 of 19
    This begs the question “how many did they intentionally leak during the same time period and was the delay in reporting to help get the photos out to more vendors?”
    what a business model!
    mac_dogwatto_cobra
  • Reply 5 of 19
    MplsPMplsP Posts: 1,007member
    I still have a Facebook account for things like high school reunions, my neighborhood association, etc, but I don’t put any personal information on it, I refuse to put the app on my phone, and I always log in through a private browser window. And never use Facebook to log in to another site!
    bonobobwatto_cobra
  • Reply 6 of 19
    finally got rid of the facebook app on my phone when thumbnails of my (very) personal photos would show up on in the facebook app with a message like "why don't you share your new photos, click here, dont worry  no one can see these yet".

    viclauyycwatto_cobra
  • Reply 7 of 19
    Why doesn’t anyone sue Facebook for Creating this insecure APIs
    watto_cobra
  • Reply 8 of 19
    eriamjh said:
    I use FB, but it doesn’t use me.  

    95% of my feed is two groups I follow.  Everything and everyone else is unfollowed or blocked.  Even family.  

    However, I use safari, not an app.  Am I safe?  Or am I screwed? 
    my guess is you are probably screwed...in that once you log into FB, my suspicion is that you are tracked from site to site.  Safari is locked down, especially on iOS, but I would not trust them an inch.

    Also in Wired magazine this month is an article describing how What’sApp was involved in the mob beating death of five men.
    watto_cobra
  • Reply 9 of 19
    Another good reason I deleted my account.
    I’m curious how you did that. Last time I checked you could be blue deactivate your account. However, all data would still be kept on their servers. You had to go trough some really tedious process specifically requiring them to delete your data based on privacy laws. At least, in Germany. 
  • Reply 10 of 19
    Why doesn’t anyone sue Facebook for Creating this insecure APIs
    Suing for insecure APIs seems like a slippery slope, as I imagine there are many, many, many insecure APIs all over the place just waiting to be found.  I am not defending Facebook in the least, but with all these leaks and unauthorized access, etc., has anyone ever been directly affected? Is there any evidence that these incidents have actually proven harmful to anyone?  I'm really curious to know. 
    berndog said:
    This begs raises the question “how many did they intentionally leak during the same time period and was the delay in reporting to help get the photos out to more vendors?”
    what a business model!
    Fixed that for you.
    watto_cobra
  • Reply 11 of 19
    sflocalsflocal Posts: 4,406member
    If I put anything on my FB account, I assume it’s public in some form.  So don’t post anything you don’t want others to see.

    these “breaches” are a non-issue, but people just LOVE to make them seem bigger than they really are.
  • Reply 12 of 19
    sflocal said:
    these “breaches” are a non-issue, but people just LOVE to make them seem bigger than they really are.
    I don't understand why you believe they are a non-issue. If you mean it from the standpoint that to this point (and to my knowledge) there has been no harm done by any of these breaches then, yes, they're a non-issue. But the simple fact that they keep happening over and over IS an issue. Shouldn't Facebook, and others, be doing more to protect the information about their users? Just because there hasn't been anything to worry about (particularly) yet doesn't mean there won't/can't be. And if a hole can be patched it should be, as far as I'm concerned.

    It seems shortsighted to just give Facebook a pass on even relatively benign data breaches/leaks.
    Rayz2016watto_cobra
  • Reply 13 of 19
    irelandireland Posts: 17,538member
    What's Facebook?
    watto_cobra
  • Reply 14 of 19
    sflocalsflocal Posts: 4,406member
    sflocal said:
    these “breaches” are a non-issue, but people just LOVE to make them seem bigger than they really are.
    I don't understand why you believe they are a non-issue. If you mean it from the standpoint that to this point (and to my knowledge) there has been no harm done by any of these breaches then, yes, they're a non-issue. But the simple fact that they keep happening over and over IS an issue. Shouldn't Facebook, and others, be doing more to protect the information about their users? Just because there hasn't been anything to worry about (particularly) yet doesn't mean there won't/can't be. And if a hole can be patched it should be, as far as I'm concerned.

    It seems shortsighted to just give Facebook a pass on even relatively benign data breaches/leaks.
    Absolutely blown out of proportion.  Setting your FB to "private" doesn't stop someone from your FB list to screen-capture something and post it elsewhere.  

    I don't post anything on my FB account and/or profile that can't already come up on some search engine.  If whatever pictures I post gets screen-captured, or shared by another person on my FB list, I have to assume that anything I post on FB could leak out, whether by a crappy API flaw giving others access to people's cute-kitten videos, or by some FB user on my list that puts it out somewhere else.

    If people are putting any sensitive information/photos on a social-media site and expecting it to be truly "private", even if set that way on their profile, then I have a bridge to sell them.

    Sure, Facebook should be doing whatever it can to prevent "unauthorized" users from accessing information on a person's profile, but the nature of the service means that nothing is ever truly "private".  Why is that so hard to accept?  If someone wants to know that I watch cute animal videos, and post photos about diving... I really don't care.  That's about as "bad" as it gets for me and I don't assume none of that is private anyways.

    Seriously... it's not like my SSN, Driver's License#, PIN#, Financial date, or anything else is posted on FB.  
    watto_cobra
  • Reply 15 of 19
    eriamjh said:
    I use FB, but it doesn’t use me.  

    95% of my feed is two groups I follow.  Everything and everyone else is unfollowed or blocked.  Even family.  

    However, I use safari, not an app.  Am I safe?  Or am I screwed? 
    This only affects you if you use Facebook to log into an app or website that you then gave access to your photos. If you didn’t do that at any point, then this doesn’t apply to you. 
    watto_cobra
  • Reply 16 of 19
    fastasleep said:

    This only affects you if you use Facebook to log into an app or website that you then gave access to your photos. If you didn’t do that at any point, then this doesn’t apply to you. 
    Soooooooo... I guess I shouldn't have used FB to log in to this forum...
    watto_cobra
  • Reply 17 of 19
    Why doesn’t anyone sue Facebook for Creating this insecure APIs
    They are not apple. No one hold high standard of them
    watto_cobra
  • Reply 18 of 19
    Having access to photos in a broader sense allows those who spoof your FB account to create another one that pretends to be you, but isn’t, sharing new photos not seen by your broader friend community in your postings. This would attract other friends to like your photos and so on. This fake profile can then be used to say things that are inflammatory or the like, opening you up to potential legal or employment issues as many companies have policies about what you post online. It’s common also for companies to research your social media details as part of the vetting process.  The hacker / duplicator in question can also set all your profile settings to public, including those not on Facebook to see. 

    It can be said that someone could do this on a website as well, but the reach of Facebook and how it becomes visible to others in their feed and such makes it unique. 

    There are a number of very annoying things these days.  If I search for a gift for my wife on amazon, my search results show up not only in my FB news feed, but hers, and across different devices.  Even if I have logged out of FB, cleared settings in safari, and so forth. It also shows up from searches I’ve done in our mac.  Browser extensions and other items harvest what I search and share in that manner.  

    Most alarming is that we’ve had verbal conversations as a couple, with no search done and no postings about it, that I have seen items show up in my feed that relate to it.  Coincidence? Perhaps. Still, creepy. 
    watto_cobra
  • Reply 19 of 19
    Another good reason I deleted my account.
    I’m curious how you did that. Last time I checked you could be blue deactivate your account. However, all data would still be kept on their servers. You had to go trough some really tedious process specifically requiring them to delete your data based on privacy laws. At least, in Germany. 
    There are certain steps you have to take. 

    https://www.trustedreviews.com/news/how-to-delete-facebook-account-2950145

    There is a deactivate process and a delete process further down. 
    wonkothesanewatto_cobra
Sign In or Register to comment.