When you have half a billion users, six million might sound like a drop in the bucket. But that is still six million accounts that may have been compromised, and if yours was one of those accounts, it really doesn’t matter how many others were also hit.
The contact information of six million Facebook users was exposed in a glitch in the system, Facebook revealed late last week. The glitch affected the “Download Your Information” tool, revealing contact information that wasn’t supposed to be made public. And while Facebook claims it just discovered the glitch and fixed it within 24 hours, this problem has allegedly been going on since June 2012. As CNET explained the problem:
The glitch itself is a bit difficult to explain, but essentially if you chose to download a copy of your data, your Facebook archive may have included the phone number or e-mail address of a person who you are connected to but did not have those particular contact details for. The extra information was provided because of a hiccup during the friend recommendation process.
In an email to me, Mike Gross, director of professional services and risk management at 41st Parameter, explained why this breach could cause a lot of trouble, not just for the users themselves, but for the company network as well:
The same potential risk exists with this as for the LivingSocial breach… Seemingly innocuous breach of “low-risk” data — no card or payment information. However, this makes phishers’ jobs much easier, as they now potentially have access to an e-mail address, as well as the individual’s closest connections/relationships. So rather than getting a phishing e-mail with a link from Facebook or another site, a fraudster could make the phishing e-mail look as though it is originating from your close friend with a link that looks legitimate but sends the user to a site that downloads malware on their device. This is actually a much more dangerous data breach than others where no contextual data is provided since having data on close connections allows the fraudster to easily target victims with e-mails that are more likely to get opened and links to be clicked.
Gross added that once relationships are exposed, it makes the phisher’s goal of getting a return on their effort much easier. That effort is usually spreading malware. And once malware is on millions of devices, the fraudster essentially has access to every potential online account.
Six million out of 500 million doesn’t seem like much. But it could lead to a whole lot of trouble.