Much has been made of a July Facebook “leak” which allegedly disclosed information on over 100 million Facebook users. What some reports have failed to highlight, however, is that the information was already public to begin with.
Security researcher Ron Bowes wrote a Ruby script that downloads information from Facebook’s user directory, a searchable index of public profile pages. The directory does not expose a user’s entire profile and only exposes information that the user has allowed Facebook to make public. This includes names, profile images, and small sampling of the user’s friends. Users can opt out of inclusion in the search, but could potentially still appear on the directory page of a friend who is searchable.
Bowes got the idea of spidering the data so that he could collect statistics about the most common names. Such statistical information isn’t sensitive at all and doesn’t pose any security threat to Facebook users. The data could be useful, however, for building automated account cracking software that is generic and not specific to Facebook. This is because a list of the most common names can be used to assemble a good dictionary of potentially popular usernames for use in brute-force tools that attempt to identify and crack user accounts.
This incident doesn’t represent a breach of Facebook’s security, because the information is made public by design. It highlights, however, the importance of keeping an eye on your social networking privacy settings and understanding how your personal information is used. Many users might not realize that their names and photos are accessible in Facebook’s public user directory.
As soon as I heard about the availability of this data, I promptly downloaded it and added it to my list of sources. On its own it is of limited value, but combined with other sources it can be a valuable investigative tool.