Security specialist Ron Bowes has once again proven how easy it is to glean valuable user information from Facebook, by spidering Facebook’s online directory and compiling it all into one neat little torrent that could be downloaded off his site, SkullSecurity.com.
Bowes created a torrent containing over 171 million entries with links to profiles that provide access to the names, addresses and phone numbers of 100 million users, one fifth of Facebook. Bowes accessed Facebook’s directory, which has the default dictum “Anyone can opt out of appearing here by changing their Search privacy settings.” Yeah, but should they have to?
These kinds of security breaches will only encourage more hackers desperate for attention. Now would be a good time for Facebook to set their default search to “Friends Only.” Why? Because most people are aren’t quite aware that check mark next to “Everyone” includes a hacker who can grab your personal info, package it up and sell it to the highest bidder.
According to Bowes the torrent contains (at 2.8 GB, our torrent is “still downloading”) …
- The URL of every searchable Facebook user’s profile.
- The name of every searchable Facebook user, both unique and by count (perfect for post-processing, datamining, etc).
- Processed lists, including first names with count, last names with count, potential usernames with count, etc.
- The programs [Bowes] used to generate everything [which makes it easy for other hackers to replicate the process]
While the advice to an individual user to change your privacy settings may be moot at this point, the suggestion that Facebook make it profiles unindexable by default isn’t. Especially when you read the more ominous statement from Bowes further on in his post on the breach, “So far, I have only indexed the searchable users, not their friends … I’d like to tackle that in the future.”