Facebook Hacked: Software Engineer Discovers Flaw, Harvests Public User Data With Algorithm

Facebook has arguably come under fire for its security practices more than any other website in the history of the internet. As of Q2 2015, the second-most-popular site in the world (according to Alexa) boasted nearly 1.5 billion active accounts: nearly a quarter of the world's population. Now, according to a report from The Guardian, one software engineer has exploited a flaw in Facebook's security and developed a hack to gather thousands of public names, pictures, and locations from Facebook.

"Hacked" is a word that nobody wants to hear associated with Facebook, and it's maybe a bit of an overstatement here. Software engineer Reza Moaiandin, technical director of Leeds-based Salt.agency, took note of a relatively unused Facebook feature which allows users to search for other Facebook users, using only their phone number.

Curious what could be done with this feature, which he discovered "by mistake," Moaiandin wrote up a quick Facebook hacking script using Facebook's API (application programming interface) to quickly generate thousands of possible phone numbers and search for them automatically, essentially using a search algorithm to hack Facebook. The results were thousands of pieces of identifying information gathered very quickly, and posting about it on his company blog, as City A.M. reports.

"By using a script, an entire country's (I tested with the U.S., the U.K. and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details."
Moaiandin is one of the "good guys" -- he isn't using the data he gathered, and he exposed the flaw publicly in the hopes that Facebook will deal with it. Computer security analyst Graham Cluley says that Facebook "should be attempting to prevent the widescale hoovering up of data, and I'm disappointed to hear that they appear to have failed on this occasion," calling on Facebook to educate their users about data privacy and to make it "as difficult as possible" for Facebook hackers to gather up even public information.
"If Facebook cares about its community, it should perhaps do more to lead them in the right direction – perhaps ensuring that users have to choose whether they want to make their phone numbers publicly accessible, rather than that being a default."
Relatively speaking, this hack is harmless. Certainly, users should check to ensure that their phone number is private on Facebook; hackers can use it to gather data that they can sell to unscrupulous marketing companies.

After submitting the potential hack to Facebook twice privately through their "bug bounty" program, Moaiander finally decided to test the theory and go public with the results.

"[It's like] walking into a bank, asking for a few thousand customers' personal information based on their account number, and the bank telling you: 'Here are their customer details.'"
A Facebook spokesperson responded to the concerns, but the response essentially said that it was each individual's responsibility to protect their data from hackers; not Facebook's.

High-profile hacks are becoming more common every day; as the Inquisitr recently reported, dating/cheating website Ashley Madison was recently hacked, potentially exposing the personal details of 37 million users.

Facebook has 1.5 billion. Do you trust them with your data?

[Photo by Sean Gallup/Getty Images]