Could a rubber duck steal your identity on Facebook?

Graham Cluley
Graham Cluley
@[email protected]

Two years ago, I took a small plastic frog given to me by my nephew, and used it to demonstrate how easy it was to extract personal information from complete strangers on Facebook.

Now, Sophos’s Australian office has conducted the experiment again – and this time they found an even higher proportion of people were prepared to risk having their identity stolen.

With a $2 rubber duck they named Daisy Felettin, they created the profile of a 21-year-old single woman and sent out 50 friend requests to randomly-chosen strangers in the same age group.

With a picture of two cats on a rug they created 50-something housewife Dinette Stonily, and – again – sent out 50 friend requests to strangers in “her” age range.

Sign up to our free newsletter.
Security news, advice, and tips.

The results are, quite frankly, disturbing.


Paul Ducklin (yes, that really is his name..), Sophos’s head of technology in Asia Pacific, who oversaw the investigation, discovered that 46% of users approached were happy to become friends and revealed personal information to Daisy the rubber duck – despite having no clue who she was.

In fact, 89% of Daisy’s new friends had published their full date of birth, 100% had revealed their email address, alongside other personal information which could be a boon to identity thieves and spammers.

Daisy the duck on Facebook

Dinette’s newly found friends, however, were of an older demographic and were typically less willing to share their full date of birth (although in many cases it could still be derived from other information they provided), but an astonishing 23% were willing to offer their phone number. Additionally, an eyebrow must be raised as to why this older age group claimed to have 932 Facebook friends on average (the younger crowd had 220). How is it possible to ever call that many people “friends”?

Ten years ago it would have taken several weeks for con artists and identity thieves to gather this kind of information about a single person. Social networks have made it easier for the bad guys to scoop up information about innocent members of the public. Everyone must learn to be more careful about how they share information online, or risk becoming the victims of identity thieves.

Learn more about the Sophos investigation into how easy it easy to steal identities on Facebook, and advice from expert Paul Ducklin, on his blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.