How Facebook leaked thousands of private messages all because of a typo
Katya appears to be a teen girl living in Mexico.
Some of the things her friends have shared on Facebook include the massacre of baby cows in Farmville.
One of the private messages sent to Katya on Facebook might contain a biblical reference, or perhaps it’s a reference to a number significant to the Illuminati. At any rate, it reads:
Love and miss you. I want to give you this hug :33.
How do I know any of this, particularly given that Katya’s privacy settings prevent people from sending her a private message or writing on her wall unless they’re her friends?
I know because Forbes’ Kashmir Hill knows.
Kashmir Hill knows because a woman named Kristal McKenzie knows, and Kristal McKenzie knows because she received Katya’s private Facebook messages – they numbered 14,000 before the mess got cleaned up – updates from Katya’s friends, updates when Katya got poked, and friend requests.
The problem started, Hill writes, after McKenzie had given up on Facebook.
She had a baby on the way, wanted to focus on what she called “the people in [her] real life”, and was tired of Facebook’s near-constant privacy changes.
In spite of having closed her account, last summer, she got a message from Facebook welcoming her back.
It was in Spanish, and it was addressed to Katya.
Obviously, somebody signed up for an account and mistyped their email address, after which the personal life of Katya’s private Facebook persona began to spill into McKenzie’s world.
It should have been pretty straightforward to fix. There’s an option in the welcome email that a recipient can click to indicate that it’s not his or her email.
McKenzie did that, and, she told Hill, Facebook’s website accordingly told her that she would be disassociated from Katya’s account.
Only she wasn’t. Or rather, she sort of was, in that she couldn’t log onto the account so as to unsubscribe, since she was disassociated, but the messages didn’t stop coming.
She tried creating a new Facebook account with her email address, but the upshot was just that she got notifications on both accounts.
Her email messages to Facebook’s abuse and PR departments went into a black hole, as such messages from normal people – i.e., people who aren’t the media – tend to do.
She got in touch with the US Federal Communications Commission (FCC) and a privacy organization for young people that works with Facebook.
The privacy group said they’d pass along the message to Facebook. Again, that got McKenzie nowhere.
Both McKenzie and Hill tried to reach Katya through one of her friends, but that didn’t work. Katya actually went on to create Skype and AskFm accounts using McKenzie’s email address, but McKenzie managed to get those shut down.
Only when Hill, a reporter for a widely read magazine, got in touch with Facebook did the gaping privacy hole close.
The problem was, Facebook told Hill, a quirky little bug: in “extremely rare circumstances”, a spokesperson told her, the link at the bottom of emails that people use to report incorrectly addressed messages wasn’t working properly.
The spokesperson said that this perfect privacy storm was triggered by a combination of mistyping an email address, not confirming it, but then successfully confirming a contact phone number.
Facebook is now fixing it “to ensure it can’t happen again”, the spokesperson told Hill.
As Hill said, it sounds like a rare fluke, but what turns a molehill into a privacy mountain is the fact that the whole thing could have been, if not avoided completely, a lot less severe were Facebook to have responded to McKenzie’s messages about the situation in the first place.
McKenzie said that the episode belies Facebook’s claims to care about our privacy:
The tech companies assure us they’re concerned about privacy yet there was no way for me to notify Facebook about this. She’s a teenager. I didn’t want to be privy to what’s going on in her life.
Facebook, seriously, neither do I – answer the door when users like McKenzie ring your bell.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1sA_VCi0mxo/