Facebook has discovered that “malicious actors” have been harvesting profiles for years by abusing its phone number and email search facility.
It said “most people” could have had their profiles harvested in this way.
The site let people search for their friends by typing in their phone number or email address.
It revealed scammers had abused the facility and used it to link phone numbers and emails to people’s names and profile information.
The company has faced scrutiny after it was revealed that the data of millions of people was improperly shared with the political consultancy Cambridge Analytica.
‘Set-up for a scam’
Facebook has previously encouraged people to add their phone number to their account. It said doing so would make it easier to connect with friends, or improve account security.
Members could choose not to show their phone number on their profile, but by default anybody could then find their Facebook profile by typing in the phone number.
It was not possible to completely opt out of the search facility. Instead, people could choose only to appear in searches made by their friends.
Security researchers have previously written about how the feature could be abused by a scammer.
An attacker could type in any phone number – even one they had made up by guessing – and link it to a person’s profile. Often this would reveal their name, location and other profile information.
By linking a phone number to personal details, a scammer could telephone the victim and address them by name. They could pretend to be from a bank or other organisation.
“This is known as enumeration, going through all the iterations of a number,” said security researcher Ken Munro from Pen Test Partners.
“If you wanted to scam somebody, you had a route to find their details and know their name – a fantastic set-up for a scam.”
Facebook said the facility had been “useful” for finding friends, especially in countries where many people have the same name.
It said phone number searchers made up “7% of all searches” in Bangladesh.
However, it said an audit had revealed that scammers had managed to act with “scale and sophistication”. It said “most people on Facebook could have had their public profile scraped in this way”.
Speaking to reporters, Mark Zuckerberg said technical measures to prevent account scraping – such as limiting the number of searches a person could make – had been defeated.
“The methods of rate limiting this weren’t able to prevent malicious actors who cycled through hundreds of thousands of different IP address and did a relatively small number of queries for each one,” said Mr Zuckerberg.
“It is reasonable to expect that if you had that [default] setting turned on, that in the last several years someone has probably accessed your public information in this way.
“Given that and what we know today, it just makes sense to shut that down.”
The company has now disabled the ability to search by phone number.