Hacked Facebook users still don’t know which 15 recent searches and 10 latest checkins were exposed in the company’s massive breach it detailed last week. The company merely noted that those were amongst the data sets stolen by the attackers. That creates uncertainty about how sensitive or embarrassing the scraped data is, and whether it could possibly be used to blackmail and stalk them.
Much of the scraped data from the 14 million most-impacted users out of 30 million total people hit by the breach was biographical and therefore relatively static, such as their birth date, religion or hometown. While still problematic because it could be used for unconsented ad targeting, scams, hacking attempts or social engineering attacks, at least users likely know what was illicitly grabbed.
Thankfully, some of the most sensitive data fields, such as sexual orientation, were not accessed, Facebook confirms to me. But the exposure of recent searches and checkins could threaten users in different ways.
Given the attack was so broad and impacted a wide variety of users, unlike say a targeted attack on the Democratic National Convention, there’s no evidence that blackmailing or stalking individual users was the purpose of the hack. For the average user hit by the breach, the likelihood of this kind of follow-up attack may be low.
But given that public figures, including Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg, were victims of the attack, as well as many reporters (myself included), there remains a risk that the perpetrators paw through the data seeking high-profile people to exploit.
Stolen data on “the 15 most recent searches you’ve entered into the Facebook search bar” could contain embarrassing or controversial topics, competitive business research or potential infidelity. Many users might be mortified if their searches for racy content, niche political viewpoints or their ex-lovers were published in association with their real name. Hackers could potentially target victims with blackmail scams threatening to reveal this info to the world, especially since the hack included user contact info, including phone numbers and email addresses.
Scraped checkins could power real-world stalking or attacks. Users’ exact GPS coordinates were not accessible to the hackers, but they did grab 14 million people’s “10 most recent locations you’ve checked in to or been tagged in. These locations are determined by the places named in the posts, such as a landmark or restaurant, not location data from a device,” Facebook writes. If users checked in to nearby coffee shops, their place of work or even their home if they’ve given it a cheeky name as some urban millennials do, their history of visiting those locations is now in dangerous hands.
If users at least knew what searches or checkins of theirs were stolen, they could choose if or how they should modify their behavior or better protect themselves. That’s why amongst Facebook’s warnings to users about whether they were hacked and what types of data were accessed, it should also consider giving those users the option to see the specific searches or checkins that were snatched.
When asked by TechCrunch, a Facebook spokesperson declined to comment on its plans here. It is understandable that the company might be concerned that disclosing the particular searches and checkins could unnecessarily increase fear and doubt. But if it’s just trying to limit the backlash, it forfeited that right when it prioritized growth and speed over security.
As Facebook tries to recover from the breach and regain the trust of its audience of 2.2 billion, it should err on the side of transparency. If hackers know this information, shouldn’t the hacked users too?