back to article Data for 100m Facebook accounts published to BitTorrent

Underscoring the permanence of data published on the internet, a security researcher has compiled the names and URLs of more than 100 million Facebook users and made them available as a BitTorrent download. Ron Bowles, who describes himself as a certified penetration tester, said he used some hastily written code to harvest …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I came here for news

    Not reprinting of the moronic rantings of a shameless self-publicist. It really doesn't take much effort in computer security to come up with the dumbest story known to man and get big in the mainstream press does it?

    1. faibistes
      Dead Vulture

      Agreed

      *shrug* For the life of me I can't see the interest of this story. It puzzled me when it hit the big media. Exgirlfriends, colleagues, bosses, neighbours and mostly everybody have been stalked this way via google->facebook since the dawn of time.

      And you guys are putting this on "Top stories"?

      The only point that's marginally interesting about this is the "Internet is forever" thing. Which, sadly, is far from the truth. I browse the web archive more than I would like, and many thigs aren't there anymore.

      1. Richard 81

        Umm...

        Wow there's some serious harrumphing going on here.

        Do you not think the scale of this at all news worthy?

        OK, so they've basically just automated a process that could be done manually. Except that they've then used it to mine data from 100 million people.

        Also, having not heard of this through the mainstream media, this seemed to be a well written, un-biased, informative piece on something that is certainly IT related.

        Well done El Reg.

        Boo angry people.

    2. DPWDC

      Fully Agree!

      Not even a story - when the BBC played this "news" on loop all day yesterday, I was thinking "well done the reg for not even mentioning it" - however, it just seems that the reg were a day late in reporting on IT...

  2. Anonymous Coward
    Anonymous Coward

    Cue

    Cue much flapping of wings, clucking, looking brainless and other chicken-like behaviour as those on the list discover that "exposing your details" really did mean them too. i can only hope Faecebook really aren't enjoying the attendant publicity.

    1. lglethal Silver badge
      Go

      Actually im quite interested in this....

      Whilst i have all of my security settings set to private and dont allow anyone but friends to view my stuff and dont post moronic messages etc, im still interested to see just how much stuff this trawl picked up. I'll probably download this tonight and do a search for my name to make sure that the level of privacy i THINK i have is the same as the level of privacy i ACTUALLY have.

      I will probably also search for members of my family (who arent the most tech saavy of individuals) so i can show them exactly how much theyre making available online and get them to improve their security and start taking this seriously.

      Yes its a non-story for anyone who is the remotest bit tech-saavy, if this story makes those for whom a breadboard is the thing in the kitchen you slice your loaf on, a tiny bit more aware of their privacy (or lack thereof) on thie internet this can only be a good thing...

      1. MinionZero
        Big Brother

        @lglethal

        Facebook != Privacy

        Which is why my Facebook privacy measures are 100% secure as I don't have a Facebook account!

        I've never bought into the whole Facebook culture fad. I use "old fashioned" forms of communications like email, IM, phones, letters, talking to people etc... They all do the job without having to leak so much about myself to the Facebook company and that is the real privacy issue. Because even when you are using Facebook privacy settings to the max, Facebook are still able to access and exploit your data and they do exploit it and they are not the only ones with access to Facebook data.

        (Anyone who doesn't believe the kind of privacy issues Facebook presents, just try this as an experiment. If you live in the UK, and are on facebook then just for a laugh add binladin as a friend so you can tell all your friends you have finally found him, when no one else could. Think its just a joke, yeah right, then wait for the interesting worrying phone call that most definitely isn't from a marketing company. The question this raises is how does state security associate facebook to your phone number and directly to you? They clearly can because I now know for a fact this happens as its happened to someone I know. State security has no sense of humour, to them its not a joke because to them, that friend link is a honey pot trap to try to identify potential sympathizers. I think its profoundly ignorant in the extreme, but there you go, that’s the kind of twisted stupid games they are increasingly playing to identify people. So it shows the state is profiling Facebook all the time and they are increasingly trying to link people together and they have ever more reasons to try to link like minded people together. So even if you have never done anything wrong then just through association you can move higher up their watch list. Score enough points (even if they are false positives) and you win the coveted Domestic Extremist award which entitles you to have your liberty withheld whenever the state chooses while they rummage through your car, your house, your life, what ever they want. Evil Domestic Extremists like 2 million UK RSPB bird watching members, environmental protesters and airport expansion (destroying their homes) protesters. You know, the kind of people the police want to watch if they are going anywhere near potentially large protest meetings.

        That’s just a glimpse of the insanely stupid ways Facebook data is being increasingly being exploited by the state. So behind the facade of a Facebook cultural fad, its getting very Orwellian very fast.

        Which is why I said Facebook != Privacy … and that's just a glimpse of where we are at now!

  3. Nader

    Not entirely true

    Remember Geocities? Most of those sites are long lost and never to be seen again...

    1. J 3
      Happy

      @Nader

      I see you haven't heard of the Internet Archive and similar projects.

      When I search for the site running on my lab's computer I get:

      "We're sorry, access to http://xxxxxxxxxxxxxxxxxx has been blocked by the site owner via robots.txt."

      And no, my site's URL is not xxxxxxxxxxxxxxxx.

      Or go here to see El Reg in 1998 (instead of annoying Flash you get annoying animated GIFs, yay):

      http://web.archive.org/web/19980628145626/http://www.theregister.co.uk/

    2. jake Silver badge

      @Nader, Re: Geocities

      Do you *REALLY* think that Yahoo! doesn't still have access to all that data?

      If you provide details to multi-billion-dollar multi-national corporations, you'll never be able to sweep the cats through the barn door into the worm can[1] again ...

      Now ask me why I don't use BingMyGooFaceYouTwit! & the like ...

      [1] "tin", to you Brits.

      1. Anonymous Coward
        Anonymous Coward

        @barn door worms

        To this Brit you're opening up a whole can of tins!

      2. Captain TickTock
        Headmaster

        Tin-Can

        [1] "tin", to you Brits.

        yeah, we know.

      3. Captain TickTock
        Joke

        Driving a double-decker bus through

        the stable door after it's bolted.

        There's not enough room to swing a horse in here

    3. Anonymous Coward
      Anonymous Coward

      And nothing of value was lost

      while the top million most hideous web pages now reside on Myspace

    4. Anonymous Coward
      Anonymous Coward

      archive.org

      Not quite, www.archive.org

    5. John Lilburne

      You forget ...

      ... thewaybackmachine most of it is archived there.

    6. ThaMossop

      Re: Remeber Geocities...

      Despite abandoning it years ago, I found my old Geocities now being hosted at oocities.com so they may not be all gone.

      As for this story, this is such a non-event story. The files told me that they had found a couple of thousand people who had the same name as me, and didn't find the link to my url. And so what if they did, it's not as if it's not available from Google anyway.

    7. pip25

      Unless...

      Unless you look in the Internet Archive and/or the projects which specifically targeted archiving Geocities before its closing.

    8. Test Man
      FAIL

      Actually...

      Not strictly true... there's at least two domains out there that archived Geocities sites wholesale and make it available. And you have forgottom about the Wayback Machine too.

  4. Doug Glass
    Go

    Ok Zuckerburger ...

    .... your move.

    1. Tom 35

      If the info was pulled from Google

      What can Suckerburger say? It was Facebook that decided to spray everyone's info all over the net.

    2. A Non e-mouse Silver badge
      FAIL

      Er, No

      Facebook gave users the choice: Reveal your profile to search engines or not ? Some users said: "Sure, let google, et al" see my profile.

      They gave the users the choice, and the users made their choice. So why is this Facebook's/Zuckerburger's problem ?

      1. Anonymous Coward
        FAIL

        RE: Er, No

        Well, yes actually, this is Facebook and Zuckerburger's problem, in that the default security settings have always been the lowest possible, and whenever they change settings, they get reverted to the lowest possible, not to mention that only in the last year have they actually started to bother adding some real security settings at all....

  5. Aussie Brusader
    Stop

    *sigh*

    I'm going to create a Facebook page about this right now!

  6. JaitcH
    WTF?

    F is for Facebook ...

    and Fools.

    The amount of personal information people put put in Facebook about themselves AND OTHERS boggles the mind. This information id a treasure trove for skip tracers, police and potential employers.

    Such people can be described as fools.

    1. Elmer Phud
      IT Angle

      Number 6

      "You won't get it!"

      It all depends on what info is put on Facebook and what the level of access has been set to.

      Plus, most people seem to have some really odd pictures as profile pics.

      Then there are those with (against Facebook's T&C) more than one account where everything is fictitious.

      I guess it's just the difference between someone scraping the publicly accessable side of Facebook and someone else getting in the backdoor of a bank or insurance company. I know which I feel safer with.

  7. Winkypop Silver badge
    Thumb Up

    Oh dear

    Bwaaaahhahahaaaaa!

  8. This post has been deleted by its author

    1. Captain TickTock
      Coat

      Phnarr..

      If you get the thrust of the article...

      Mine's the trenchcoat, I'm going in deep, deep, deep undercover.

    2. Doug Glass
      Paris Hilton

      I was that in high school ...

      ... and college and it had nothing to do witrh any computer program. But it did deal with "hard" ware.

      Paris because Paris has already dealt with hardware and is certified.

  9. Eden

    Pffft

    I've set my facebook page up to open because I really couldn't care less if people see my name and who I'm friends with.

    I use it to upload photos and share with family and friends mainly and have it open so friends of friends etc can also view them.

    I don't post anything up there that I wouldn't be happy with the world+dog seeing so no security issues are ever going to bother me short of someone getting access to my account and sending friends/familly obscene emails or spam =p.

    I register a SPAM email address, fake address, no phone number, no problem.

    1. Doug Glass
      Go

      That's Probably THE Best Solution

      But there's a whole planet full of people who simply don't understand the only security that counts is that which is between your ears and within your skull. For them, taking care of security is somebody elses task and is thereby never what it needs to be. Not that it ever will be.

      Sheep were made to be fleeced, there's a sucker born every minute and if you're going to be dumb, you better be tough.

  10. Rich 27

    Facebook bashing is getting old

    If this guys a "certified penetration tester" where is his work effics gone when he makes all of this available via bittorrent?????? why didn't he just let them know?

    Sounds very dodge to me!!

    1. Doug Glass
      Go

      Nawww, Nor Really

      Like old bubble gum ... just add a bit of spit and you can chew all over again.

    2. Andy Fletcher
      Thumb Up

      Because then...

      ...no-one hears about it. No point being a penetration tester if no-one knows you do it. This is how to get your story more exposure - instead of 3 people reading about it, a few million. I'm not saying it's right, ethical or whatever. I am saying it's exactly what I'd have done.

  11. LaeMing
    Thumb Up

    Cool

    I am a tiny bit more famous now!

    Nothing on my FB site I care about having exposed - I always assumed the security was crap and always would be and behaved accordingly.

    Then again, I don't even assume what is on my home box behind a NAT and two firewalls is 'safe'. ....well, while it is on the encrypted external drive and said drive is unplugged, I tentatively make the assumption of reasonable content security.

  12. TonyHoyle

    Whoopee, he can use google

    Surprised he didn't publish 'the details of a billion websites'

    Spending 5 minutes writing a script to google facebook accounts = lots of publicity. Nice little earner too once the tabloids come around waving their chequebooks.

  13. Anonymous Coward
    Dead Vulture

    <yawn>

    Seriously, who cares? The answer is easy - don't put anything on your Facebook pages that you don't want on your Facebook pages. The whole point of Facebook is that it's for sharing. If you want to keep things private you don't put it on the internet anywhere let alone a site that's specifically designed to share data with many people.

    I'm bored with the whole Facebook-privacy thing.

    Can't we just leave the following advice as a sticky on the Reg frontpage and not bother with any more Facebook stories?

    "Facebook is a web site. Your data might be visible to people you didn't intend. If you're that concerned about data security and privacy, don't join Facebook. If you want to join anyway, only put things on there you'd be happy for anyone to see. Otherwise, keep calm and carry on."

  14. Anonymous Coward
    FAIL

    FB saying...

    "You can't do it" doesn't cut much ice, really. After all, those with naughtiness on their mind aren't going to look at the Ts & Cs and quake in their boots, are they?

  15. Fred 5

    Job title?

    "certified penetration tester"??? Now that's something to have on your business card.

  16. Anonymous Coward
    Anonymous Coward

    Please god,

    someone create a better alternative that people will move to, and i hope it doesnt turn out to be a Betamax vs. VHS

    i am sure thats already happened though.

  17. Anonymous Coward
    Anonymous Coward

    Obvious experts state obvious is obvious

    And still people don't get it.

    Once information is made public, it's Out There. That's nothing specifically to do with the internet, though it'll rub your face in it if you try and make things unpublic again ("Streisand effect").

    It is also why privacy protection is important, and why "we'll store your data first and maybe perhaps remove it later" is not an acceptable answer from, oh, companies (nokia), the government (preventive storing on dna databases, fingerprinting 6yo children, others) or whoever else. Plenty of people don't get that, including people in government, corporations, or generally supposedly IT savvy readers of el reg.

    Really, the only way to protect privacy in any meaningful way is to stop requiring full identity at the drop of a hat. Instead we'll have to find ways to reduce the information that needs handing over to the absolute minimum. If disposable credit cards aren't enough, well, maybe we'll have to come up with disposable "identity proofs". Yes, most people won't get that either, at first. They'll have to get their heads around it later or sooner. They'd better.

  18. Jon Double Nice
    Coat

    Facebook strictly forbids the scraping of its content

    you missed out the '... bitch'

  19. Sooty
    Joke

    presumably

    The ICO will not consider a name, photograph, unique URL, and list of friends to be in any way, personally identifiable information.

  20. ewan 3
    Paris Hilton

    Certified Penetration Tester

    Sounds like fun work, where do I sign up.... Paris because, well...

  21. heyrick Silver badge

    So if I am on that site...

    ...they'll have my name, a graphic of Haruhi Suzumiya, and a disposable Yahoo email address.

    Wait, what... you think I'd give my address...? To Facebook? Nyahahahaha! HELL NO.

    1. Gaz Jay
      Thumb Up

      Title

      Reminds me of when I worked for a marketing company. They had a service they used to offer where they would "append" brick and mortar address details to any email address. The idea is they would capture your email address when you signed up for an email newsletter, then would be able to send you things though the post/get your home phone number etc. Un-ethical and probably illegal too I know.

      I put in some of my email addresses that I've used over the years to see what got appended. The results where pretty funny. I hope to god that some marketing company somewhere really has tried to send some crap to the fake addresses I made up!

      Sadly, the service often did manage to find addresses for email addresses.

      I left the company mainly because I couldn't live the the feeling that I was helping distribute the kind of crap I hate to receive myself. The company has since folded.

  22. Anonymous Coward
    Thumb Down

    "Skull Security"?

    What a lame script kiddie.

  23. Anonymous Coward
    Thumb Up

    Fine by me

    All the shit on my farcebook page is intentionally made searchable, to obfuscate anything that might be important further down the rankings.

    1. Rich 30
      Happy

      ha

      i lol'd

  24. Anonymous Coward
    FAIL

    joke

    This is a complete joke. So he can google and brute force? I think he needs a friendly DoS from anon to remind him that he is a pathetic little c**t.

    What's that? skullsecurity.org is down? I wonder.

  25. Lionel Baden
    Megaphone

    i know why im downloading it !!

    see if anybody i know needs a heads up !!!

    also mebbe mine has been scraped, i dont really bother with it so nothing to lose but it woud be annoying !!!

  26. Andrew Barr
    Joke

    I have about 20,000 names, address and telephone numbers in a searchable format

    It is call the BT phone book, it gets delivered to my house maybe once a year!

    1. J Lewter

      Search it wut?...

      If you scan it all in so you can "search by number" then your breaking UK law..

      Reverse directory lookup in the UK isnt permitted.

  27. MonkeyBot
    Paris Hilton

    Re: "certified penetration tester"

    Ooerr missus/yeah, baby!

    Take your pick.

  28. Neil Cameron-Rollo

    Shame

    It's a pity that these obviously clever but ultimately dumb people could not find something genuinely useful (or possibly even altruistic) to do with their talents rather that standing there waving their todgers saying 'look how clever I am'. They really should be ashamed of themselves

  29. Anonymous Coward
    Flame

    a**hole

    It really is about time that self-described security researchers like this get taught that it isn't funny, and it isn't clever, to abuse a security hole as a way to publicise it.. This guy is no better than the tw@ts who write viruses, and he deserves the same treatment.

    As one of the few people (it seems) that doesn't have a facebook account this doesn't impact me directly, but there are no doubt many ordinary users who, through inexperience or naivete, will get hurt by this, for no good reason.

  30. Paper

    Umm...

    Isn't the whole point of facebook that at least your name, photo and a few details are exposed, so that others can find you? Otherwise it wouldn't be a very sociable site now would it!

    1. Winkypop Silver badge
      WTF?

      What?

      There's a point to FB?

      Who knew?

  31. Anonymous Coward
    Anonymous Coward

    Oh noes, forbidden!

    so, is Fuckerberg going to be suing Google for scraping his site? Should be a fun day or two in court... bitch.

  32. DPWDC
    FAIL

    BT

    British Telecom have released a list containing all its (non-ex directory) users full names, address details, and telephone numbers - please can the reg run an article on this too, its no different.

  33. Anonymous Coward
    WTF?

    It's nothing

    Having now downloaded this and looked at it, it's completely benign and utter rubbish. No emails, no photos, no personal information at all, bar a collection of names and the urls of each person's page. Utter, utter, nothing.

  34. Rob Sked
    Unhappy

    If only Ron knew . . . .

    http://web.archive.org/web/20070501170431/http://www.skullsecurity.org/

  35. Jamie Kitson

    Quote

    "no more alarming than finding the yellow pages in a brothel."

    http://www.bbc.co.uk/news/technology-10796584

  36. Hayden Clark Silver badge
    Alert

    The newsworthy bit...

    RTFA:

    "The list also includes the unique web address to each account, meaning the pages will be accessible even if the users later configure their accounts to be private"

    In other words, the URL and viewability of your pages doesn't change when you change the privacy settings, only the existence of links to them. So, those pages are effectively public for ever. It's probably a Facebook bug, as it should be confirming your login status for every page, and gating content accordingly.

  37. Graham Marsden
    Thumb Down

    Facebook has reiterated...

    "that their attitude to making data available is that you opt in to everything unless you can figure out how to stop it, bitch".

    There, fixed it for you!

  38. Doug Glass
    Go

    Facebook is like used underwear

    When it's dirty it's discusting; when it's clean the streaks are still there.

  39. Henry Wertz 1 Gold badge

    eula?

    @"a**hole" ac: he didn't exploit a security hole! Facebook is wide open and publicly accessible. That's the whole point. If someone has their profile private, presumably there's no info on you in the torrent.

    What's the consequence for violating the T & Cs? I suppose facebook could cancel his account.

    1. Anonymous Coward
      Thumb Down

      security through ignorance...

      > he didn't exploit a security hole! Facebook is wide open and publicly accessible.

      And you don't think that's a security hole?

  40. geejayoh
    FAIL

    Four Fifths

    at least 1/5 of people are retards.

    Facebook: 500,000,000 users

    100,000,000 records publically available.

    1/5.

    Q.E.D.

  41. andywu
    Go

    Want to know if you were included in these files?

    Want to know if you were included in these files? This web page will tell you...

    http://nohasslesites.com/FacebookNames

  42. Anonymous Coward
    Anonymous Coward

    Thanks

    That's a pretty useful site, there!

    Many thanks,

    John Smith.

  43. This post has been deleted by its author

  44. Anonymous Coward
    Anonymous Coward

    There is a new application that let you find if your details were on this file!

    Link: http://apps.facebook.com/wasihacked

This topic is closed for new posts.