Lost My Phone, Give Me Your Number!! Groups On Facebook Are A Spammer's Paradise


Sound familiar? For years, many people who have recently lost their phones have turned to Facebook to reunite with their friends. But rather than use the site’s integrated phone directory (which is probably more comprehensive than you think) they take a different approach: a new Facebook group declaring that their address book is gone for good. These groups often wind up with over a dozen phone numbers from friends who leave their numbers on the group’s wall. Turns out, that’s often a bad idea — in some cases it’s incredibly easy for spammers to harvest these phone numbers from Facebook. All it takes is a little Google trickery.

Earlier today we received a tip showing just how easy this ‘hack’ was to execute, yielding many thousands (perhaps even millions) of phone numbers. I quickly alerted Facebook to the issue, hoping that they might do something to somehow fix it before I wrote anything. But it doesn’t look like that’s going to happen — Facebook’s view is that users shouldn’t be using these groups (at least not public ones) to share their phone numbers. And Google has cached many of these numbers, so it’s unlikely they could do much anyway. From a Facebook spokesman:

We certainly agree that people should be careful when posting their phone number to any public forum (and if they do decide to do it, they should probably delete the number once it’s been used for the intended purpose).

The trick itself is very simple, yielding hundreds of thousands of Facebook groups, many of which have multiple phone numbers listed that are tied to each user’s real name. We’re not going to actually include the directions (giving spammers a slightly more difficult hurdle), but here’s what a page of results on Google looks like:

It’s also possible to do a query with similar results on Facebook itself, so this isn’t solely a problem with search engines. And this isn’t tied to spammers alone either — it’s easy to tweak the ‘hack’ to look for an individual’s phone number.

The issue here is that people are sharing private data in groups that have been marked public, rather than private groups that can only be viewed by group members. Facebook has obviously noticed that this is a trend, because if you try to create a group and include certain keywords (like “phone number”) the site will actually recommend that you use the Facebook phone number directory instead. But there are plenty of people who still do it anyway.

Thing is, the problem doesn’t just lie with user error — Facebook deserves some of the blame. When you create a group, you are presented with three options: ‘Open’, ‘Closed’, and ‘Secret’. People generally choose the first setting for these phone groups, because it means they don’t have to manually invite or approve every friend they have. Here’s how Facebook describes the ‘Open’ setting:

In this case it isn’t clear what exactly anyone really means. Are groups only exposed to other Facebook users? Or do search engines have access to the data too? Obviously, it’s the latter. Perhaps more important: the language doesn’t do anything to convey that sharing this information with the world might be a dumb idea. Thankfully, Facebook is planning to make this more clear:

While there are some differences between this information being available through a Facebook search by any of our 300 million users and a search on Google, the more important issue here is that users are choosing to create open groups for this purpose…. We’re working on language changes that will hopefully make it even more clear how large an audience this is. In the meantime, we fully support you educating your readers on this point.

This all ties back to my concerns over the looming Facebook Privacy Fiasco that will strike once Facebook eventually flips the switch on its privacy overhaul and begins encouraging users to share their information with the world (don’t remember that? It was announced way back in July and is apparently still in the works). The fact of the matter is that Facebook has established trust with millions of users who believe it has at least some degree of privacy. Any time Facebook invites users to share information with the world, it needs to make it abundantly (perhaps even annoyingly) clear what implications that could have.

Thanks to Eric Fulton for the tip