Facebook loophole let marketers harvest data from private groups, report says

Members of a closed group discovered a Chrome extension let marketers download personal info, according to CNBC.

Abrar Al-Heeti Technology Reporter

Abrar Al-Heeti is a technology reporter for CNET, with an interest in phones, streaming, internet trends, entertainment, pop culture and digital accessibility. She's also worked for CNET's video, culture and news teams. She graduated with bachelor's and master's degrees in journalism from the University of Illinois at Urbana-Champaign. Though Illinois is home, she now loves San Francisco -- steep inclines and all.

Expertise Abrar has spent her career at CNET analyzing tech trends while also writing news, reviews and commentaries across mobile, streaming and online culture. Credentials

Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has three times been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.

See full bio

Abrar Al-Heeti

July 12, 2018 4:09 p.m. PT

2 min read

Getty Images

A Facebook privacy loophole let third parties find people's names in the social network's closed groups, according to CNBC.

The company has reportedly closed the loophole, and a Chrome extension allowing marketers to collect the information was also shut down after Facebook sent a cease-and-desist letter to its creators, according to the report.

Members of a private group for breast cancer gene carriers reportedly became concerned that their names were potentially being exposed, and that this would make them a target for discrimination from insurers. A Facebook representative told CNBC that the company's decision to disable seeing members of closed groups was based on "several factors" but wasn't connected to the group's concerns.

"While we recently made a change to closed groups, there was not a privacy loophole," a Facebook representative told CNET.

The social networking company is working to restore user trust following the Cambridge Analytica scandal earlier this year, in which data from as many as 87 million Facebook users was improperly shared with the political consultancy. It has also come under scrutiny after Russian trolls used the social network to meddle in the 2016 US presidential election.

Andrea Downing, a moderator for the group for women with the BRCA gene, told CNBC that she became worried about group members' privacy after finding out that a Chrome extension called Grouply.io let her download personal information of all 9,000 group members including names, employers, email addresses and locations. Grouply.io didn't immediately respond to a request for comment.

Downing reportedly reached out to security researcher Fred Trotter, who found that closed Facebook groups had a loophole that allowed third parties to collect people's names. He found that Grouply.io was designed for marketers to do this en masse, and that he could also gather people's information manually without the browser extension. He submitted a report to Facebook on May 29, according to CNBC. A Facebook representative told CNBC that member lists for closed groups were "viewable" but that people couldn't download the full list at once.

On June 20, Facebook reportedly responded to Trotter and the group members, acknowledging that member lists for closed groups were publicly available. About a week later, group members told the company they weren't happy with the response, and by June 29, that ability to collect details on Facebook was shut down, CNBC reported.

'Hello, humans': Google's Duplex could make Assistant the most lifelike AI yet.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

First published July 12, 1:06 p.m. PT.
Update, 4:09 p.m.: Adds comment from Facebook.