Marketing / Facebook loophole lets hackers harvest users' information

Facebook loophole lets hackers harvest users' information

A software engineer is urging Facebook to take action after discovering a security loophole that could put thousands of users' data at risk.

Facebook website displayed on a computer screen

Reza Moaiandin found he could harvest users’ names, profile pictures and locations just by guessing their mobile numbers – even if the numbers themselves were not made public.

By default, a feature that lets would-be friends look for users’ Facebook profiles using their phone numbers is turned on, meaning they can be matched to their numbers.

Hackers could use the loophole to work systematically through the social network’s users and harvest data so sell online on the black market.

Using a simple script, Moaiandin was able to run entire countries’ possible number combinations through the search using Facebook’s API.

The information is publicly available, but by being able identify profiles by guessing phone numbers hackers might be able to find those of celebrities and other well-known figures.

The researcher has made Facebook aware of the issue, and users can avoid being looked up based on their mobile numbers by changing the “Who can find me?” privacy setting.

For more information, see Reza Moaiandin’s blog post.


When your business is hit by a cyber attack, how should you respond? Find out this September at the R3 conference in London.

Shares