Skip to content

Social Media

Facebook mass hack last month was so totally overblown – only 30 million people affected

Abusing privacy is Facebook’s number one business!

QUOTE

Good news: 20m feared pwned are safe. Bad news: That’s still 30m profiles snooped…

Facebook users can relax and get back to interacting with quality content and authentic individuals on the social network.

Last month’s deliberate theft of private account records from the internet giant, initially believed to affect 50 million or maybe 90 million accounts, turns out to be nowhere near that bad. Cough.

On Friday, the data-harvesting biz said a mere 30 million people were robbed of their authentication tokens – which could and were used to log into their Facebook accounts. That’s only 1.34 per cent of Facebook’s total active users – which says more about the out-of-control size of the antisocial network than anything else.

“We now know that fewer people were impacted than originally thought,” said Guy Rosen, VP of product management, during a conference call for the media on Friday morning, Pacific Time.

Initial worries that the token pilfering might have led to the compromise of third-party apps implementing Facebook Login turn out to be completely unfounded. Rosen said Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, advertising and developer accounts were not affected. Bullet dodged.

For one million of the token deprived, the attackers took no information. For 15 million, they obtained names, phone numbers, and email addresses, if present in their profiles. For the remaining 14 million, they accessed not only profile data fields, but quite a bit more:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
Facebook users can relax and get back to interacting with quality content and authentic individuals on the social network.

Last month’s deliberate theft of private account records from the internet giant, initially believed to affect 50 million or maybe 90 million accounts, turns out to be nowhere near that bad. Cough.

On Friday, the data-harvesting biz said a mere 30 million people were robbed of their authentication tokens – which could and were used to log into their Facebook accounts. That’s only 1.34 per cent of Facebook’s total active users – which says more about the out-of-control size of the antisocial network than anything else.

“We now know that fewer people were impacted than originally thought,” said Guy Rosen, VP of product management, during a conference call for the media on Friday morning, Pacific Time.

Initial worries that the token pilfering might have led to the compromise of third-party apps implementing Facebook Login turn out to be completely unfounded. Rosen said Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, advertising and developer accounts were not affected. Bullet dodged.

For one million of the token deprived, the attackers took no information. For 15 million, they obtained names, phone numbers, and email addresses, if present in their profiles. For the remaining 14 million, they accessed not only profile data fields, but quite a bit more:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

….

“People’s privacy and security is incredibly important and we’re sorry this happened,” said Rosen.

That sorrow has limits. The Register asked Facebook whether it intends to pay for identity theft monitoring for the 30 million people affected, a common act of contrition following data thefts.

A Facebook spokesperson said, “Not at this time; the resources we are pointing people toward are based on the actual types of data accessed – including the steps they can take to help protect themselves from suspicious emails, text messages, or calls.”

Nonetheless, Facebook may end up opening the corporate coffers to make things right. The company offered no details about how many of those affected reside in the EU where the data protection regime (GDPR) allows for penalties that bring tears to the eyes of accountants.

“We’ll have to see what Facebook discloses about potential liability if any exists,” said Pravin Kothari, CEO of CipherCloud, in an email to The Register. “The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.

Made and Distributed in the U.S.A.: Online Disinformation

with Facebook’s help of course!

QUOTE

SAN FRANCISCO — When Christine Blasey Ford testified before Congress last month about Justice Brett M. Kavanaugh’s alleged sexual assault, a website called Right Wing News sprang into action on Facebook.

The conservative site, run by the blogger John Hawkins, had created a series of Facebook pages and accounts over the last year under many names, according to Facebook.

After Dr. Blasey testified, Right Wing News posted several false stories about her — including the suggestion that her lawyers were being bribed by Democrats — and then used the network of Facebook pages and accounts to share the pieces so that they proliferated online quickly, social media researchers said.

The result was a real-time spreading of disinformation started by Americans, for Americans.

What Right Wing News did was part of a shift in the flow of online disinformation, falsehoods meant to mislead and inflame. In 2016, before the presidential election, state-backed Russian operatives exploited Facebook and Twitter to sway voters in the United States with divisive messages. Now, weeks before the midterm elections on Nov. 6, such influence campaigns are increasingly a domestic phenomenon fomented by Americans on the left and the right.

“There are now well-developed networks of Americans targeting other Americans with purposefully designed manipulations,” said Molly McKew, an information warfare researcher at the New Media Frontier, a firm that studies social media.

Politics has always involved shadings of the truth via whisper campaigns, direct-mail operations and negative ads bordering on untrue. What is different this time is how domestic sites are emulating the Russian strategy of 2016 by aggressively creating networks of Facebook pages and accounts — many of them fake — that make it appear as if the ideas they are promoting enjoy widespread popularity, researchers said. The activity is also happening on Twitter, they said.

Reverb Press’s logo on its Facebook page shows that it has been verified by the social network.

The shift toward domestic disinformation raises potential free speech issues when Facebook and Twitter find and curtail such accounts that originate in the United States, an issue that may be sensitive before the midterms. “These networks are trying to manipulate people by manufacturing consensus — that’s crossing the line over free speech,” said Ryan Fox, a co-founder of New Knowledge, a firm that tracks disinformation.

This month, Twitter took down a network of 50 accounts that it said were being run by Americans posing as Republican state lawmakers. Twitter said the accounts were geared toward voters in all 50 states.

On Thursday, Facebook said it had identified 559 pages and 251 accounts run by Americans, many of which amplified false and misleading content in a coordinated fashion. The company said it would remove the pages and accounts. Among them were Right Wing News, which had more than 3.1 million followers, and left-wing pages that included the Resistance and Reverb Press, which had 240,000 and 816,000 followers.

Facebook said this amounted to the most domestic pages and accounts it had ever removed related to influence campaigns. The company said it had discovered the activity as part of its broader effort to root out election interference. Also, the pages had become more aggressive in using tactics like fake accounts and multiple pages to make themselves appear more popular.

“If you look at volume, the majority of the information operations we see are domestic actors,” said Nathaniel Gleicher, Facebook’s head of security. He added that the company was struggling with taking down the domestic networks because of the blurry lines between free speech and disinformation.

Mr. Gleicher said that the accounts and pages that Facebook took down on Thursday violated its rules about online spam and that many of the domestic organizations probably had financial motivations for spreading disinformation. The organization can make money by getting people to click on links in Facebook that then direct users to websites filled with ads. Once someone visits the ad-filled website, those clicks means more ad revenue.

But while traditional spam networks typically use celebrity gossip or stories about natural disasters to get people to click on links that take them to ad-filled sites, these networks were now using political content to attract people’s attention.

Just say no to Facebook

Soldiers in Facebook’s War on Fake News Are Feeling Overrun

Facebook – the sharp tool of mob psychology

QUOTE

MANILA — The fictional news stories pop up on Facebook faster than Paterno Esmaquel II and his co-workers can stamp them out.

Rodrigo Duterte, the president of the Philippines, debated a Catholic bishop over using violence to stop illegal drugs — and won. Pope Francis called Mr. Duterte “a blessing.” Prince Harry and his new wife, Meghan Markle, praised him, too. None were true.

False news is so established and severe in the Philippines that one Facebook executive calls it “patient zero” in the global misinformation epidemic. To fight back in this country, the Silicon Valley social media giant has turned to Mr. Esmaquel and others who work for Rappler, an online news start-up with experience tackling fake stories on Facebook.

While Rappler’s fact checkers work closely with Facebook to investigate and report their findings, they believe the company could do much more.

Right – Facebook do more? Never – they rely on eyeballs for their advertising revenue. The best way to get more eyeballs/revenue is to allow spreading of sensationalist fake news.

“It’s frustrating,” said Marguerite de Leon, 32, a Rappler employee who receives dozens of tips each day about false stories from readers. “We’re cleaning up Facebook’s mess.”

On the front lines in the war over misinformation, Rappler is overmatched and outgunned — and that could be a worrying indicator of Facebook’s effort to curb the global problem by tapping fact-checking organizations around the world. Civil society groups have complained that Facebook’s support is weak. Others have said the company doesn’t offer enough transparency to tell what works and what doesn’t.

Facebook says it has made strides but acknowledges shortcomings. It doesn’t have fact checkers in many places, and is only beginning to roll out tools that would scrutinize visual memes, like text displayed over an image or a short video, sometimes the fastest ways that harmful misinformation can spread.

Paterno Esmaquel II, a Rappler reporter, said the false stories on Facebook just kept coming. “We kill one,” he said, “and another one crops up.”CreditJes Aznar for The New York Times

“This effort will never be finished, and we have a lot more to do,” said Jason Rudin, a Facebook product manager.

For fact checkers themselves, the work takes a toll. Members of Rappler’s staff have received death and rape threats. Rappler brought in a psychologist. It debated bulletproofing the windows and installed a second security guard.

The way to end this is to end Facebook and the way to end Facebook is to delete your account.

Facebook targets ads using phone numbers submitted for security purposes

Quote

If you sometimes — or often — wonder how or why you’re seeing a certain ad online, here’s a possible answer.

Most Facebook users know the company targets ads based on information they willingly give the company, but researchers have found that the social media giant also targets ads based on information users may not know is being used to target them — or information they did not explicitly give the company.

For example, phone numbers provided for two-factor authentication are also being used to target ads on Facebook, according to a new report that cites a study, titled “Investigating sources of PII used in Facebook’s targeted advertising,” by researchers from Northeastern and Princeton universities.

When a user gives Facebook a phone number for two-factor authentication or for the purpose of receiving alerts about log-ins, “that phone number became targetable by an advertiser within a couple of weeks,” Gizmodo reported.

A company spokeswoman told Gizmodo that “we use the information people provide to offer a more personalized experience, including showing more relevant ads.” The spokeswoman pointed out that people can set up two-factor authentication without offering their phone numbers.

However, the study also shows — and Gizmodo tested, by successfully targeting an ad at a computer science professor using a landline phone number — that contacts of Facebook users can be targeted without their consent. Facebook users who share their contacts are exposing those contacts to potential ad targeting.

This means that, as a Facebook spokeswoman told Gizmodo, “We understand that in some cases this may mean that another person may not be able to control the contact information someone else uploads about them.”

A Facebook spokeswoman told this news organization Thursday: “We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”

In the study, the researchers said Facebook’s use of personally identifiable information in this way is to be expected, given that it’s the business the company is in. “This incentive is exacerbated with the recent introduction of PII-based targeting, which allows advertisers to specify exactly which users to target by specifying a list of their PII,” they said.

Facebook Does it Again! 50 million Facebook accounts breached

Quote

Facebook reset logins for millions of customers last night as it dealt with a data breach that may have exposed nearly 50 million accounts. The breach was caused by an exploit of three bugs in Facebook’s code that were introduced with the addition of a new video uploader in July of 2017. Facebook patched the vulnerabilities on Thursday, and it revoked access tokens for a total of 90 million users

In a call with press today, Facebook CEO Mark Zuckerberg said that the attack targeted the “view as” feature, “code that allowed people to see what other people were seeing when they viewed their profile,” Zuckerberg said. The attackers were able to use this feature, combined with the video uploader feature, to harvest access tokens. A surge in usage of the feature was detected on September 16, triggering the investigation that eventually discovered the breach.

“The attackers did try to query our APIs—but we do not yet know if any private information was exposed,” Zuckerberg said. The attackers used the profile retrieval API, which provides access to the information presented in a user’s profile page, but there’s no evidence yet that Facebook messages or other private data was viewed. No credit card data or other information was exposed, according to Facebook.

Regardless, the breach could do further damage to Facebook’s reputation as the company continues to attempt to regain public trust after a recent string of security and privacy issues. In addition to revelations about the misuse of Facebook user data by Cambridge Analytica during the run-up to the 2016 US presidential election, there have been questions about how Facebook itself uses customer data, including the discovery that Facebook had been routinely collecting full call logs and other data from some mobile users.

And if there were not 100 other reasons to ditch facebook, how about this?

Earlier this week, Facebook acknowledged that it provided phone numbers used for two-factor authentication to advertisers for the purpose of targeting users with advertisements. And Facebook’s Onavo virtual private network application was yanked from Apple’s App Store in August because it was being used by Facebook to collect data about users’ mobile application usage.

Facebook pulls ‘snoopy’ Onavo VPN from Apple’s App Store after falling foul of rules

Just say no to Facebook, they will never change, they can’t, because your private data is their product.

QUOTE

Facebook has pulled its data-snaffling Onavo VPN from Apple’s App Store after the iGiant said the tech violated recently tightened rules.

Onavo is a free VPN app that pipes user traffic through Facebook systems under the pretext of protecting surfers from malware-tainted websites and other threats. The app, which the social network acquired in 2013, sends users’ data back to Facebook, even when the app is turned off.

Security advocates have blasted Onavo for being a privacy threat, as previously reported. Onavo Protect was separately criticised for allegedly harvesting users’ psychological profiles.

Facebook has been accused of using the data gathered through the app to track rivals and provide pointers on new product development. Data from Onavo lit the way for its 2014 purchase of WhatsApp as well as the social network’s excursion into live video in 2016.

Apple updated its App Store guidelines in June to ban “[collecting] information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing”. Apple also informed Facebook that Onavo violated developer rules that prevent apps from using data beyond what’s needed to deliver the service on offer, The Wall Street Journal reported

Break up Facebook up

Since the users of Facebook will never take action to fix their addiction, perhaps it is time for regulators to step in. The history of egregious breaches of public trust and leaks of privacy at Facebook demand action.

QUOTE

When the government broke up the telephone system in 1984, the fact that AT&T could count most citizens as customers and that it was arguably the best-run telephone company in the world was not deemed compelling enough to preserve its monopoly power. The breakup would unleash a wave of competition and innovation that ultimately benefited consumers and the economy.

Facebook seems to be in a similar position today — only with far greater global reach than Ma Bell could have imagined. Facebook’s two billion monthly active users, and the way those accounts are linked and viewed by users and by third parties, have made it the most powerful communications and media company in the world, even if its chief executive, Mark Zuckerberg, insists his is a technology business.

And that power is being abused. As The New York Times reported Tuesday, Facebook shared data with at least four Chinese electronics firms, including one flagged by American officials as a national security threat. We learned earlier this week, thanks to a Times investigation, that it allowed phone and other device makers, including Amazon, Apple, Samsung and Microsoft, to see vast amounts of your personal information without your knowledge. That behavior appears to violate a consent order that Facebook agreed to with the Federal Trade Commission in 2011, after Facebook was found to have made repeated changes to its privacy settings that allowed the company to transfer user data without bothering to inform the users. And it follows the even darker revelation that Facebook allowed a trove of information, including users’ education levels, likes, locations, and religious and political affiliations, to be exploited by the data mining firm Cambridge Analytica to manipulate potential voters for its Republican Party clients.

Throughout its history, Facebook has adamantly argued that it treats our data, and who has access to it, as a sort of sacred trust, with Zuckerberg & Company being the trustees. Yet at the same time, Facebook has continued to undermine privacy by making it cumbersome to opt out of sharing, trying to convince users that we actually do want to share all of our personal information (and some people actually do) and by leaving the door unlocked for its partners and clients to come in and help themselves. Those partners have included 60 device makers that used application programming interfaces, also known as A.P.I.s, so Facebook could run on their gadgets.

In Facebook’s view those partners functioned as extensions of the Facebook app itself and offered similar privacy protections. And the company said that most of this intrusive behavior happened a decade ago, when mobile apps barely existed and Facebook had to program its way onto those devices. “We controlled them tightly from the get-go,” said Facebook’s Ime Archibong, vice president for product partnerships, in a response to The Times’s article. Yet a Times reporter was able to retrieve information on 295,000 Facebook users using a five-year-old BlackBerry.

Facebook Gave Data Access to Chinese Firm Flagged by U.S. Intelligence

Suprise Surprise Surprise! Just say no to Facebook!

Quote

Facebook has data-sharing partnerships with at least four Chinese electronics companies, including a manufacturing giant that has a close relationship with China’s government, the social media company said on Tuesday.

The agreements, which date to at least 2010, gave private access to some user data to Huawei, a telecommunications equipment company that has been flagged by American intelligence officials as a national security threat, as well as to Lenovo, Oppo and TCL.

The four partnerships remain in effect, but Facebook officials said in an interview that the company would wind down the Huawei deal by the end of the week.

Facebook gave access to the Chinese device makers along with other manufacturers — including Amazon, Apple, BlackBerry and Samsung — whose agreements were disclosed by The New York Times on Sunday.

The deals were part of an effort to push more mobile users onto the social network starting in 2007, before stand-alone Facebook apps worked well on phones. The agreements allowed device makers to offer some Facebook features, such as address books, “like” buttons and status updates.

Facebook Gave Device Makers Deep Access to Data on Users and Friends

Dear Facebook users, you are the product, you are also morons. Freedom and privacy are rights that need to be defended, not given away for convenience.

Quote

As Facebook sought to become the world’s dominant social media service, it struck agreements allowing phone and other device makers access to vast amounts of its users’ personal information.

Facebook has reached data-sharing partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — over the last decade, starting before Facebook apps were widely available on smartphones, company officials said. The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, “like” buttons and address books.

But the partnerships, whose scope has not previously been reported, raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission. Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing, The New York Times found.