Facebook owns up to serious privacy breach. Tells the world late on a Friday night (again)

Any time that Facebook admits that it has exposed the privacy of millions of its users, it’s sure to gain the attention of the world’s newspapers and tech bloggers.

The latest news is that approximately 6 million Facebook users had their email addresses or telephone numbers inappropriately shared.

Bad enough, you might think, but when you dig down into how the breach occurred you realise that the users may *never* have uploaded those email addresses and contact numbers to Facebook themselves.

Facebook privacy breach announcement

Sign up to our free newsletter.
Security news, advice, and tips.

Pardon me for being cynical, but it seems somewhat convenient that Facebook releases the news on Friday afternoon Pacific Time when many reporters are either looking forward to a weekend away from their keyboards, or are already shutting down their computers or are even tucked up in bed.

Move fast and break thingsIf I was in charge of Facebook’s crisis communications team, I might also counsel that the best way to minimise fall-out from the announcement you don’t really want to make is to release it at precisely the same time – when America’s East coast reporters have left the office for the weekend, and Europe is already asleep.

The hope would be that by Monday, when the media settles down for another working week, the story will already seem stale. Facebook is saying all the right things in an attempt to dampen any flames, saying (and I believe them) that it has seen “no evidence that the “bug” has been exploited maliciously”.

It doesn’t do the company any harm either, of course, if they give the embarrassing announcement a dull title like “Important Message from Facebook’s White Hat Program”, rather than using words like “Privacy Breach” or “Sorry, we screwed up”.

It’s called damage limitation. For the Facebook brand, at least. It’s not called doing your level best to get the issue reported to as wide an audience as possible.

It’s not the first time that Facebook has made an announcement of a privacy/security snafu at the best possible time of the week, PR-wise.

For instance, at a near identical time on another Friday (February 15, 2013) earlier this year, the social network announced that malware breached its developers’ systems, exploiting a zero-day Java exploit.

Facebook malware attack announcement

Two announcements that no company ever really wants to make. Both released at the same time of day, at the same time of the week, to minimise damage to the social network’s reputation.

Hats off to Facebook’s PR team. They’re earning their money.

In all likelihood, they’ll be proving their worth to the company again. After all, Facebook’s internal mantra is “Move fast and break things”.

If you want to stay informed about Facebook security and privacy issues, why not join my Facebook page?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

3 comments on “Facebook owns up to serious privacy breach. Tells the world late on a Friday night (again)”

  1. Steve

    I don't think my info was released this time around (as I have deleted my account) but it must have been released in an earlier episode of Facebook hacking. I still get a lot of emails using 'Facebook' friends names with sexual connutation subjects – how do i know it was facebook and not my email address that was hacked – because i don't have the friends email addresses, and they don't have mine.
    This week alone i have deleted probably around 50 such emails, and it has been going on for over a year now…if not two.

  2. Facebook is not serious about their security. In reality its still run by people who do not understand security. Its my first hand experience.

  3. Hi Graham,
    Nice blog.

    Facebook's representative told ZDNet last week that the "data is not obtained through an app or database tool. Data about you is obtained by the seemingly innocuous voluntary actions on Facebook of people you know."

    I disagree.

    http://www.zdnet.com/anger-mounts-after-facebooks-shadow-profiles-leak-in-bug-7000017167/

    I downloaded my archives over a week ago and all the addresses & phone numbers look like they came from 2006-2009 (my Blackberry contacts | Verizon) and also listed email addresses from a Gmail account that I do not use anymore.

    I have one contact that is not connected to any friends on Facebook, does not have a Facebook account, shuns social media and is a "lone friend back east," that is not connected to any of my friends or family. So how does Facebook explain that one?

    Cheers,
    /Bev

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.