Facebook CEO Mark Zuckerberg revealed that all of its 2.2 billion users should assume their public data has been compromised by third-party scrapers.
The source of this vulnerability is Facebook’s search function, which allows anyone to look up users via their email address or phone numbers, information security training analysts said. Users have to opt into it, via an option that lets their names come up in searches. The security settings have this option on by default.
In a blog post from CTO Mike Schroepfer, Facebook hinted at the scope of the problem:
However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.
During a call with members of the press, Zuckerberg confirmed just how open Facebook had left its users:
I would assume if you had that setting turned on that someone at some point has access to your public information in some way.
Zuckerberg clarified, when asked about the 87 million numbers cited earlier, that it was the number of users potentially affected by Cambridge Analytica. According to information security training professionals, Zuckerberg was confident that was the maximum number.
During the call, Zuckerberg also said he felt responsible for the missteps of his company, and that he hoped to learn from them moving forward. When asked if he still considered himself the best person to run the company, he said, “Yes.”