Bulgarian blogger Bogomil Shopov wrote Tuesday that he had purchased a spreadsheet containing 1.1 million Facebook user IDs and email addresses for $5. The data was allegedly scraped by third-party applications and offered for sale on a website called Gigbucks by a user named “mertem.” Shopov verified that the emails did correspond to the Facebook user IDs, most of them private. He had even identified people he knew in the list. The next day, he was contacted by Facebook’s Platform Policy Team.
“Hi Bogomil,According to Shopov, Facebook wanted to reclaim the data and investigate the leak and sale (clear violations of the network’s terms of service), but their discussion was somewhat cloak and dagger. He summarized the exchange in a subsequent blog post — the exact thing Facebook asked him not to do.
We’d like to set up a call with you to discuss a recent blog post of yours. Could you please provide a time and a phone number that works with your schedule?
Platform Policy Team
“Now we would like you to send us this file, delete it, tell us if you have given a copy of it to someone, give us the website from which you bought it including all transactions with it and the payment system and remove a couple of things from your blog. Oh and by the way, you are not allowed to disclose any part of this conversation; it is a secret that we are even having this conversation.”Shopov confirmed these events to Mashable, and elaborated on his dealings with Facebook. He has spoken to them again since his latest post.
“I had a call with them last night [about] why I am writing those things on my blog,” Shopov tells Mashable in an email. “They didn’t mean to leave this impression on me, and we agreed on how to transfer the data to them. I gave them the data today via their secure system. I promised to delete the data, and I did.” Shopov shared this screenshot of the secure data transfer back to Facebook.
“[The seller] said the data came from a Facebook app, and I can believe that, because we checked a couple of profiles and there was no e-mail address present. This info cannot be scraped from the Facebook website,” Shopov explains.
While the seller’s listing for the data has been removed by Gigbucks, you can view a Google cached version here.
Shopov also forwarded the text of an email he received from “Josef” at Gigbucks, explaining that this listing was in clear violation of their terms.
I am the admin of Gigbucks and wanted to let you know that we have
deleted the Facebook profiles from our server as well as banned the
user account “mertem” for violating our terms and conditions that
clearly state that such thins may not be offered on Gigbucks.
We manually approve each gig and I don’t know how this one slippedAt the time of this writing, Facebook has not responded to our request for comment.
through the crack. I apologize and we will take steps to improve our
gig reviewing process to make sure such things will never be posted on
Please let me know if there is anything else that we can do.”
UPDATE: A Facebook representative has responded to our request for comment: “Facebook is vigilant about protecting our users from those who would try to expose any form of user information. In this case, it appears someone has attempted to scrape information from our site. We have dedicated security engineers and teams that look into and take aggressive action on reports just like these. We continue to investigate this specific individual.”
Protecting YourselfThis issue obviously raises privacy concerns for Facebook users. It’s about the privileges third-party apps have when connected to your account. Most have access to private data in your profile (email address, user behavior) and some allow your friends’ apps to access this data as well. It’s mostly used to make the experiences around apps and games more social. But it would be relatively easy for a malicious app developer to scrape the information into a database and sell it to marketers and spammers — the likely intention in this case.
How can you protect yourself?
- Be mindful of the apps you connect to your Facebook account. Only use apps you trust from established publishers, and even then, don’t connect many of them.
- Check your apps often and remove unwanted or unknown applications. Go to your Privacy Settings, click Ads, Apps and Websites and remove apps that you’re not using or that may have been connected to your account unintentionally.
- Control what your friends’ apps can see about you. Even if you don’t have apps connected to your account, the private information you only share with friends might be accessible to the apps they are using. Turn this data off by editing the settings in How people bring your info into apps they use.
- Turn off the Facebook Platform. If you never use any apps or games, you can completely disable the Facebook Platform, which will cut your private data off from third party developers completely. Click Turn off your ability to use apps… in the first section.
Screenshots courtesy of Bogomil Shopov.