Four-million Facebook users’ data wide open for anyone to download for years

Data scooped up by personality app, left on a website with a public password.

Millions of Facebook users' information exposed after using *another* personality app

Yet another instance of a Facebook app putting innocent users’ sensitive private data at risk has been uncovered.

Six million people are thought to have completed tests set by the myPersonality Facebook app, with almost half agreeing to share details from their Facebook profiles with the understanding that data collected would be distributed “in an anonymous manner such that the information cannot be traced back to the individual user.”

However, it appears that the anonymisation was done in such a poor fashion that it might not be difficult for a determined party to de-anonymise the data and piece together intimate details of individuals using the rich data set.

Sign up to our free newsletter.
Security news, advice, and tips.

That would be bad in itself, but things get worse according to a New Scientist report:

“Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Gaining access illicitly was relatively easy.”

Just how easy was gaining unauthorised access to the Facebook users’ data? Well, according to the report, if you knew how to Google it seems that you wouldn’t have too much trouble stumbling across the password – as it had been posted publicly for anyone to see on GitHub for four years:

“The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.”

Thankfully – unlike the app at the centre of the Cambridge Analytica debacle – the myPersonality app did not also collect the data of users’ Facebook friends, otherwise the number of people put at risk would likely have been even worse.

Facebook suspended the myPersonality app in April of this year, four years after it started scooping up users’ information. Facebook says it has suspended approximately 200 other apps for using “large amounts” of profile information, pending investigations.

I’m pleased that Facebook is now trying to mop up these third-party apps which have broken users’ trust in the past, but to my mind it’s too late.

If you value your privacy, the only sensible step is to quit Facebook before worse things happen.

Check out our recent Smashing Security podcast where we discuss how to do precisely that.

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.