back to article Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy code

Facebook confessed today that buggy code potentially exposed all of its users' accounts to hackers over the past 14 months. It reckons miscreants snooped on least 50 million people's private profiles, and perhaps as much as 90 million. In a security note posted Friday morning, the social media giant's VP of product management …

    1. FlamingDeath Bronze badge

      People love money, Facebook is no different, in fact they love it even more

      Money is such a wonderful incentive, it incentives greedy little shitbags, to which there are many, to do all sorts of immoral shenanigans with little regard for consequences

      Whoever invented money literally consigned humans to extinction, and that is no hyperbole

      1. Nick Ryan Silver badge

        Of course money is important to Facebook. How does Facebook make money? Have anyone here, personally, paid any money to Facebook. They have huge storage, Internet connectivity, management and development overheads... where does the money for this come from?

        • The (information stealing) apps and the cuts on the micro-payments within these.
        • Advertising. This is very low income however when scaled out massively can still produce a good return, however untargetted advertising is nearly worthless.
        • Profiling. Profiling trends in content and topics to sell to those who are interested. Ideally entirely anonymous, however then there's the temptation to link this to the advertising and feedback loops become possible.

        Any more?

  1. adnim Silver badge

    "multiple issues in our code."

    And ya fuckin ethics

    1. Destroy All Monsters Silver badge

      Re: "multiple issues in our code."

      Going fast and breaking things has its downsides.

    2. Potemkine! Silver badge

      Re: "multiple issues in our code."

      And ya fuckin ethics

      As said FB's doorman: "Sorry, Mister, ethics are not allowed here."

  2. Anonymous Coward
    Anonymous Coward

    "using people's cellphone numbers, provided for 2FA to target them with adverts"

    ....."even though the numbers were only provided for security reasons rather than ads.".....


    And that in one sentence is why 'Acton of WhatsApp fame' bailed... Pretty good inside take on the WhatsApp founders departure below and the rise of Signal as an App. The chilling ruthlessness of Facebook is pretty clear here:


    ....."When Acton reached Zuckerberg’s office, a Facebook lawyer was present. Acton made clear that the disagreement—Facebook wanted to make money through ads, and he wanted to make it from high-volume users—meant he could get his full allocation of stock. Facebook’s legal team disagreed, saying that WhatsApp had only been exploring monetization initiatives, not “implementing” them. Zuckerberg, for his part, had a simple message: “He was like, This is probably the last time you’ll ever talk to me.”.....


    1. Peter X

      Re: "using people's cellphone numbers, provided for 2FA to target them with adverts"

      Another article explaining the same "Shadow Profile" thing:

      In case anyone isn't aware (I wasn't), where you might expect FB to allow advertisers to target people by obvious data like location, age, gender and things like "interests", they also allow advertisers to target users by their email address or phone numbers. Which means that advertising can be super-targeted... a clothes shop can target their own customers via FB with advertising in the full knowledge of what they've previously purchased.

      And like that isn't bad enough, the information that is used for targeting includes phone numbers that are supposedly only used for two-factor authentication.

      Aaand if that isn't bad enough, it can include contact details that they've skimmed from your FB-friends who have allowed FB access to their contacts.

      All this stuff is part of a "shadow profile" and they won't tell you about that or let you download it.

      This might be obvious to others, but personally, whilst I'd guessed they would build a profile that would place users in broadish categories for interests and perhaps infer a bit more data from that, I didn't know advertisers could target people so specifically. Which is really terrifying when you consider political campaigns.

      1. Anonymous Coward
        Anonymous Coward

        'I didn't know advertisers could target people so specifically'

        Makes me sad to read that @PeterX. As it means the message still isn't getting out. What you're quoting is ancient history. It started with friends / family / colleagues phone & email address phonebook uploading 'shadow profiles' ... 'Ugly Truth' memo etc.

        That progressed into firms being coerced into uploading their CRM databases to help advertising campaigns. But it was really about Facebook compiling highly accurate metadata from those databases. Much more accurate than data brokers like Experian could provide. That's why Zuck doesn't need them anymore.

        But things are far worse now... Facebook and Google have been secretly buying financial transaction history (credit-cards etc) for 2-3 years now, and matching it to offline and online activity. They're also buying up medical and patient records. On the side, insurers are now insisting on IoT feeds from fitness trackers. Who will they trade or sell that data too? The usual suspects! When combined when constant Android location tracking the metadata is immense and this is just the beginning...

        Both Facebook and Google are desperate to get into China. They want to use their infrastructure as part of China 2020 Social Credit Score. Then bring that whole dystopian nightmare back to the West. This is the stuff of 1984 meets Blakes7. Its horrific! And you've just shown that you're stuck in the Matrix and still have little idea what's really going on. Wake up Neo...

      2. fajensen Silver badge
        Big Brother

        Re: "using people's cellphone numbers, provided for 2FA to target them with adverts"

        Which is really terrifying when you consider political campaigns.

        Politics is one thing, but, it is slow and inefficient; How about not bothering with the political process at all, since one could be getting a reasonable solid list of people being homos, left-wing, jewish, female + about town + muslim, not-swedish-enough - and then sending the thicko boys round to sort them out and really explain things to them!?

        All it takes, for anyone today, to run ones own private morality police service is: A FB business account, a little money, some nutters who like violence and some targeted advertising.

      3. This post has been deleted by a moderator

  3. LDS Silver badge

    "using people's cellphone numbers [...] to target them with adverts"

    That's why I'll never use any service that requires my phone number to be registered or login.... and of course also because I don't want to give them an almost perfect unique identifier.

    Unluckily, I can't kill the friends who let their phonebooks to be slurped.

    What do the many people here who defended the practice of asking your phone number think now?

    1. frank ly Silver badge

      Re: "using people's cellphone numbers [...] to target them with adverts"

      I still have an old Nokia 6310i (a lovely phone) that I've fitted with a PAYG sim card with £10 on it. I intend to use that phone if I ever have to set up 2FA by text for anything and it will only ever be turned on for that purpose.

      (Also it has to be turned on at least every six months to make a call to my landline to keep the SIM card active. I don't have to pickup the landline for that to work. That's a calendar event with an alert to remind me every four months.)

      1. ivan5

        Re: "using people's cellphone numbers [...] to target them with adverts"

        I intend to use that phone if I ever have to set up 2FA by text for anything and it will only ever be turned on for that purpose.

        I already have a throwaway Android phone used for that and it is only switched on when I need to use 2FS, cost €2 a month. The phone can also be used as an emergency phone if necessary.

  4. ma1010 Silver badge

    GDPR violation?

    Earlier this week, it emerged Facebook was using people's cellphone numbers, provided for two-factor authentication, to target them with adverts, even though the numbers were only provided for security reasons rather than ads.

    If this is true, it sounds like a massive GDPR violation to me, although I'm no lawyer, so I could be wrong.

    If it is a violation, I'm hoping some folks in Europe manage to get a big GDPR case going against FB. Four percent of their global turnover would amount to quite a bill! And they so richly deserve every penny of it.

    Icon 'cause FB (and just about every other big corporation) have about the same scruples as Blackbeard. If only there were some sort of regulation of these rapacious corporations here in America!

    1. heyrick Silver badge

      Re: GDPR violation?

      "If only there were some sort of regulation of these rapacious corporations here in America!"

      Corporations manipulatelobby democracypoliticians to ensure that such a thing won't happen.

    2. Anonymous Coward
      Anonymous Coward

      Re: GDPR violation?

      If only there were some sort of regulation of these rapacious corporations here in America!

      Both the State of California and the United States Congress are working on legislation that implements GDPR-like privacy protections for U.S. citizens. The current thinking is that the tough California legislation (which passed and will go into effect in 2020) will be superseded by toothless federal legislation that is bought and paid for by your friendly, neighborhood Google and Facebook.

      1. Anonymous Coward
        Anonymous Coward

        'superseded by toothless federal legislation that is bought and paid for by ... Google & Facebook'

        Its hard to argue against that because Govt is fundamentally divided in their loyalties. Right now they're looking at China 2020 'Social-Credit-Score' and thinking... Wow - that looks useful...

        Have an activist / protestor / human-rights reporter in your family or circle of friends? Your score suffers. You can't take a flight, get into university, get a job, get a date. That's population control. Embarrassing public officials or calling out corruption?

        Never again! Meanwhile in the west Facebook & Google are buying up everything, including medical / patient / health and banking & credit-card transactions... And Insurers are now insisting on IoT live-feeds. See where this is all going???

    3. LDS Silver badge

      Re: GDPR violation?

      I think GDPR is one of the reasons, if not the main one, while this has been published quickly enough... but a breach is not automatically a GDPR violation that brings a massive fine. Still, if an investigation discovers behaviours that violated it, then fines could come...

  5. J. Cook Silver badge

    ... and that's why I call it failbook. Absolutely no surprise here.

    1. Anonymous Coward
      Anonymous Coward

      Nah. Graham Linehan nailed it perfectly a decade ago; Friendface - it’s a diseased face of friendship!

    2. Jaspa

      Prefer Farcebook.

  6. Brian Miller

    50 million "snooped", so??

    What in the world are people putting up on Facebook that is so important?? "Oh, a bot came by and made a copy of my Facebook info." Hello, it's a service for the technically inept to fill with garbage. "Me am got computer, haz keyboard, make typing."

    Privacy != Facebook. If something is private, then you are supposed to keep it off of a public service. "Private" means "this data has been generated in hardware, and cannot be extracted even by de-lidding the chip."

    1. Mark 85 Silver badge

      Re: 50 million "snooped", so??

      As I understand it, it may not be just bots. Several friends have complained that there's fake accounts for them that look exactly like the page they made. Complaining to FB just gets them being forced to send in "official" ID and a demand for more personal info. The paranoid in some us has to wonder if this is a random crim or FB is doing it to collect more data.

    2. Anonymous Coward
      Anonymous Coward

      'What in the world are people putting up on Facebook that is so important?'

      Facepalm! The stolen tokens also allow attackers access to 3rd-Party accounts (see below). So there's a major security issue here alongside all the privacy aspects. Some users will have leaked posts or embarrassing or comprising pics etc that were hidden, but can now be used for full-on extortion.

      So this is a huge issue, far bigger than the political interference angle of Cambridge-Analytica/Palantir etc. And you've just shown you're part of the whole problem because you don't get it, or are just underestimating it... Anyone in your circle you've given advice to, seriously needs to do their own research!


      "Facebook has confirmed to reporters that the breach would allow hackers to log in to other accounts that use Facebook's system, of which there are many. This means other major sites, such as AirBnB and Tinder, may also be affected."


  7. Anonymous Coward
    Anonymous Coward

    Who is going to buy Facebook user information?

    Lets face it, the users don't care about privacy anyway so are probably duplicated in every other breach.

  8. razorfishsl

    Yep... only 50 million users, just a small amount.

  9. Wellyboot Silver badge

    Only & Appears

    Only 50 million directly affected = nearly 1/6 of all Americans or all of Belgium, Greece, Portugal, Sweden & Austria combined.

    Appears that no credit card information was taken - so they don't actually know?

    I hope the devil has a special place just for PR types.

  10. corestore

    Needs more clarity...

    How does this interact with 2FA? Is that still secure, if it's turned on?

    Presumably any attempt to actually *use* these access tokens would generate a 'new login from unknown device' warning from FB? I certainly always see that when I try to login from a device I haven't used before. Is that warning a default, or something you have to set up when you configure security? I can't recall.

  11. pɹɐʍoɔ snoɯʎuouɐ

    how many times must it be said that you don't put anything on the internet you don't want to be public. forget privacy settings, just assume everything is there for the world and his wife to read.

    and in the case of facebook in particular, with all the shit flinging done about it, you must have been living under a penis shaped rock on Mars for the last 2 years if you were not aware that all your supposed private information was public, add to that the fact that mankind does not currently have the technology to put man beyond low earth orbit, there is no excuse for not being aware that Facebook security is a joke.

    simple. Just assume every bit of information you put on the internet is public.

  12. Anonymous Coward
    Anonymous Coward

    But wait - there’s more!

    ”In effect, every single Facebook user account was wide open to being hacked, although the Silicon Valley goliath estimated that "only" 50 million accounts were, in the words of a spokesperson, "directly affected." “

    What’s that, the ‘pull numbers out of a hat’ school of security breach PR’?

    I’d take bets that in a couple of weeks they’ll take a leaf out of Yahoo’s book and mysteriously ‘discover’ the problem is much much bigger than stated, neatly bypassing the GDPR rules on disclosing breaches promptly and avoiding the shareholder upsetting fines. They can round it off by pointing the finger at the fiendish Norks and telling us all they take the security of user data very seriously.

    1. Anonymous Coward
      Anonymous Coward

      'in a couple of weeks they’ll take a leaf out of Yahoo’s book'

      I hope GDPR has a pro-rated fine system to motivate firms to fess up early with accurate and not just massaged numbers.

  13. handle handle

    info wars

    Me thinks Google found a way to suck info from Facebook.

  14. Anonymous South African Coward Silver badge

    Patch one bug and create a couple of other fun bugs in the process.

    Evil laughter. Muhuhahaha.

  15. 5p0ng3b0b
    Thumb Up

    Data Slurping Company's Data Gets Slurped

    Using the vuln to delete accounts or data rather than just slurping would have done more damage. All the culprits managed to achieve is wipe a few pennys off the share value and given the FB legal team more job security. FB still has the data of these 50m users (which will probably pay any losses incurred and still make a profit) and has now closed the vuln.

    50m is only 0.0022421524663677% of 2.23bn so maybe a more parallel attack and process the profile id number in random order next time to delay the detection!

    Let the dawn of API injection vulns commence!

    1. doublelayer Silver badge

      Re: Data Slurping Company's Data Gets Slurped


      "50m is only 0.0022421524663677% of 2.23bn so [...]"

      5.7e7/2.23e9 = 0.02242152466367713

      0.02242152466367713 = 2.242152466367713%

      And the detection wasn't based on sequential accesses; we don't know in what order, if any, the accounts were accessed. The thing that tipped them off was the quantity of accesses, so the perpetrators could have gotten more data by slowing it down, potentially evading facebook security forever.

      Also, the people didn't break in with the intention of taking facebook down. They wanted the data, and they got it. We don't yet know what they're going to do with it, but the results were intended to be and will be problematic for the users, not facebook.

  16. Spasticus Autisticus

    To my shame, I have a FB account. I haven't used it for ages and haven't agreed to the new terms post GDPR, so its sort of dormant.

    What I'd like to do is delete my FB account but first have FB give me ALL the info they have on me. I've never given them my mobile number but suspect they have it. FB is almost certain to have more info about me then shows on my account which I can delete (deletefacebook).

    Is there somewhere that details how to go about getting FB to tell me everything they hold on me? I know it would be pretty much impossible to know they have complied but I would at least like to try.

    1. Anonymous Coward
      Anonymous Coward

      >Is there somewhere that details how to go about getting FB to tell me everything they hold on me?

      I did that and deleted my account. Not looked at it admittedly, but nice to have.

      1. werdsmith Silver badge

        This is my shame. I did this some years ago and discovered that my phone contacts had been uploaded to Faecebook. I apologised to all my contacts and closed the account. Too late though.

        So it's worth knowing that whilst you may avoid faecebook you can still be shat on and let down by any so called friends that still have an account and feed the depraved animal.

        Lucky that I only know one die-hard user who is still defiantly fucking the rest of us over. It's easy to get rid of faecebook and you won't miss it. There is always a much better way to do whatever you think you need it for if you are not a lazy-arsed bastard.

    2. Wayland Bronze badge


      Deleting FB account is not as easy as you think. Just as deleting a file is really just de-listing it from the directory it's the same with FB. Then when you finally want to scrub it off their system they are suddenly unsure it's really you and need you to register your phone and other methods of ID.

  17. Velv Silver badge

    Facebook @ Work

    I wonder if the same issue could potentially have been open on Workplace (Facebook collaboration for companies). How many businesses could have had data stolen that’s not just kitten videos and people’s lunch pictures?

    1. Destroy All Monsters Silver badge

      Re: Facebook @ Work

      As Mr. White says in Reservoir Dogs:

      "A lot"

  18. CrysTalK

    'View As' Could be an intentional feature

    That feature could've been intentional for TLA's so agents can access anybody's private account, even if said agents were deployed overseas.

    If not for TLA's and secret agencies, then maybe that feature was given to big corps who wanted some private data of FB users.

    Just patched by FB when that Taiwanese guy claimed he would delete the FB account of Zuckerberg in a live stream.

    That's why it's not good to put backdoors, as claimed by most tech gurus, be it hardware or software because sooner or later someone will discover those backdoors. Ok, as usual, just claim it was a bug and not an intentional feature.

  19. WibbleMe

    Also in other news, hacker website publishes links to 1 trillion cat photos

  20. Anonymous Coward
    Anonymous Coward

    A challenge for The Register

    Get rid of all the share buttons on your pages, starting with the Facebook one. Otherwise you’re part of the problem.

    1. Keef

      Re: A challenge for The Register


      I don't see those share buttons thanks to uBlock Origin but this also has the detrimental effect of denying El Reg ad revenue.

      I'd happily pay to read if you'd let me El Reg.

      You could leave an ad supported non subscribed option to keep the scummy ad revenue.

  21. Anonymous Coward
    Anonymous Coward

    Hey Facebook

    Suffer in ya jocks!

  22. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    Facebook hires great hacker talent, too talented for a f*ckup like this. Data on 50+ Million Facebook users is a heck of a lot more valuable than a measly little bug bounty. This stinks of an inside job.

  23. Destroy All Monsters Silver badge

    "used Facebook to authenticate the hacked users... oops!"

    No I finally know what "use Facebook to login" is good for.

    Absolutely nothing.

  24. Winkypop Silver badge

    That horse, it bolted from the stable

    It went that a way....

    And that....

    And that....

    And that....

    And that....

    And that....

    And that....

    And that....

    And that....


  25. Anonymous Coward
    Anonymous Coward

    >It reckons miscreants snooped on least 50 million people's private profiles, and perhaps as much as 90 million.

    As many?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019