Web consultant Bogomil Shopov found a website offering data on over 1 million Facebook users for the princely sum of US$5.
So he bought it — and discovered that it was exactly as promised; an Excel document that was split into 12 sheets, with over 100,000 users detailed on each sheet, covering a total of around 1.2 million Facebook users.
Each entry includes a user's email address, full name and Facebook profile URL — collated from apps that the users allowed to access their profiles, in a direct violation of the written contract that app developers sign with Facebook.
The offer description said:
Whether you are offering a Facebook, Twitter, social media-related or otherwise a general product or service, this list has a great potential for you.
The details were mostly collected from users in the US, the UK, Canada and Europe, and Shopov even recognised some of the names as people he knows.
After he posted about it on his blog, Facebook got in contact with Shopov to resolve the issue — only to tell him that he was not allowed to talk about the conversation at all, and that Facebook would resolve the matter internally.
I asked if it was possible to tell what the problem was after they finished the investigation, so that the users could protect themselves, but they emphasised that it would be an internal investigation and they would not share any information with third parties. And they mentioned again that I must not tell about it to nobody.
Facebook told CNET Australia:
Facebook is vigilant about protecting people from those who would try to expose any form of user information. In this case, it appears someone has attempted to scrape information from our site. We have dedicated security engineers and teams that look into and take aggressive action on reports just like these. We continue to investigate this specific individual.
Edited 29 October, 9.07am AEST: added comment from Facebook.