“In the course of one day I had Facebook go through over 10,000 e-mail addresses; ranging from reporters of prominent newspapers and CNN, to board of directors of Microsoft, Google, and Gates Foundation, and even the entire staff directories of government organizations and the World Bank,” Mr. Sheppard said in an e-mail message to a New York Times editor. “Of those it did find on Facebook, over 30% had their personal email addresses listed, which Facebook gladly gave me, without any of [the Facebook users] knowing.”
The Gambia RPCV Mike Sheppard finds bug in Facebook
A Facebook ‘Bug’ Revealed Personal E-mail Addresses
By Riva Richmond
Updated 5:11 p.m.: Added quote from Graham Cluley.
Updated 10:22 a.m.: Corrected Mr. Sheppard’s dates of service in Gambia.
Security Privacy
Facebook inadvertently gave a “curious” former Peace Corps volunteer and National Guardsman a batch of personal — and probably private — e-mail addresses for other Facebook users, including six Google executives and board members and 61 reporters and editors at The New York Times and The Wall Street Journal.
Mike Sheppard, a 29-year-old from Holland, Mich., who earned a master’s in statistics in December and has no advanced computer training, sent a mass-blast e-mail to each of The Times and Journal reporters describing a Facebook programming glitch that made it possible. “I wanted to make sure the press knew so Facebook could correct it,” he said in an interview.
The programming error Mr. Sheppard discovered was in a feature that allows users to quickly find out whether people they know are on Facebook and invite them to become a friend by uploading a .txt or .csv file of email addresses. Facebook compares the addresses to those of its members and displays the matches. The results list shows profile pictures, names, networks and e-mail addresses, some of which are personal and, in at least one case, subject to restricted access per the user’s privacy settings. Spammers and scammers of various ilk could use this feature to collect working e-mail addresses and use them to contact individuals.
Facebook, which was notified about the situation by The Times, said the display of e-mail addresses other than the one used in searches was the result of “a bug.” It introduced a fix for the tool late Wednesday so that the tool now displays no e-mail addresses.
“A bug caused one of our tools for finding new friends on Facebook to show a different e-mail addresses than the one entered into a search for some users who had multiple e-mail addresses on their profile,” said a Facebook spokesperson. “We fixed the bug within hours of it being reported to us.”
Mr. Sheppard’s discovery was the result of both serendipity and curiosity. He first used the feature to find people he had known from the Peace Corps (he was in Gambia from 2003 to 2005), in part because of his work on a Peace Corps community blogging site and information project.
The process of uploading a simple file with addresses struck him as overly easy, and he wondered if it would work if he plugged in “random addresses.” So he began assembling lists of corporate e-mail addresses for various organizations, using staff directories, Google searches and simple guesses based on various standard e-mail formulations. Then fed them into Facebook. “I just tried different organizations on a whim,” he said. Facebook ignored wrong addresses and spit out site member information for correct ones, along with personal e-mail addresses, if users had provided them.
“In the course of one day I had Facebook go through over 10,000 e-mail addresses; ranging from reporters of prominent newspapers and CNN, to board of directors of Microsoft, Google, and Gates Foundation, and even the entire staff directories of government organizations and the World Bank,” Mr. Sheppard said in an e-mail message to a New York Times editor. “Of those it did find on Facebook, over 30% had their personal email addresses listed, which Facebook gladly gave me, without any of [the Facebook users] knowing.”
“Confirming that someone with email address ‘x’ is on Facebook is one thing, but revealing that they also have the personal email address ‘y’ potentially puts them at risk of hacking or some other type of fraud,” said Graham Cluley, a senior technology consultant at security company Sophos. “Inevitably as more and more sites collect our personal information, the risk of cybercriminals getting hold of it (through accidental leakage or malicious hacking) is increasing. We would all be wise to think carefully about what we share on social networks.”
Mr. Sheppard sent friend requests to many of the 368 people whose private e-mail address he uncovered, in an effort at transparency. He suspects that’s what prompted a warning message from Facebook, notifying him that it had detected his “misuse” of site features that could lead to the termination of his account.
