An alarming news broke from Facebook security last Friday on 21st at 7.50pm EST. Its not the hack that exposed this information but it was because of a bug. Its scary that facebook doesn’t even test their code when going to production. This clearly shows the ignorance of facebook and their security team putting users data at risk.
The post read as “Important Message from Facebook’s White Hat Program” late evening Eastern time.
It appears that facebook knew about this bug and to reduce the media impact and harsh critics they published the news 4.50pm PST when most of them are enjoying their weekend.
Graham Cluley has written a very good post about how facebook might have played its move with this situation. You may read it here
Its very clear that Facebook has failed and does the same mistake again and again of not following appropriate SSDLC plans. Facebook was started by college students in the past but now they have millions of personal information from various countries. They must be more responsible how they handle and follow effective practices for their development cycle. We also heard from a bunch of folks that facebook is still a immature organisation with tons of money which is what driving its company.
The company explained the error in detail in the blog post, explaining how that data came to be shared and how the data was used:
“We’ve concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.”