Facebook loophole let marketers harvest data from private groups, report says
Members of a closed group discovered a Chrome extension let marketers download personal info, according to CNBC.
- Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has twice been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.
A Facebook privacy loophole let third parties find people's names in the social network's closed groups, according to CNBC.
The company has reportedly closed the loophole, and a Chrome extension allowing marketers to collect the information was also shut down after Facebook sent a cease-and-desist letter to its creators, according to the report.
Members of a private group for breast cancer gene carriers reportedly became concerned that their names were potentially being exposed, and that this would make them a target for discrimination from insurers. A Facebook representative told CNBC that the company's decision to disable seeing members of closed groups was based on "several factors" but wasn't connected to the group's concerns.
"While we recently made a change to closed groups, there was not a privacy loophole," a Facebook representative told CNET.
The social networking company is working to restore user trust following the Cambridge Analytica scandal earlier this year, in which data from as many as 87 million Facebook users was improperly shared with the political consultancy. It has also come under scrutiny after Russian trolls used the social network to meddle in the 2016 US presidential election.
Andrea Downing, a moderator for the group for women with the BRCA gene, told CNBC that she became worried about group members' privacy after finding out that a Chrome extension called Grouply.io let her download personal information of all 9,000 group members including names, employers, email addresses and locations. Grouply.io didn't immediately respond to a request for comment.
Downing reportedly reached out to security researcher Fred Trotter, who found that closed Facebook groups had a loophole that allowed third parties to collect people's names. He found that Grouply.io was designed for marketers to do this en masse, and that he could also gather people's information manually without the browser extension. He submitted a report to Facebook on May 29, according to CNBC. A Facebook representative told CNBC that member lists for closed groups were "viewable" but that people couldn't download the full list at once.
On June 20, Facebook reportedly responded to Trotter and the group members, acknowledging that member lists for closed groups were publicly available. About a week later, group members told the company they weren't happy with the response, and by June 29, that ability to collect details on Facebook was shut down, CNBC reported.
'Hello, humans': Google's Duplex could make Assistant the most lifelike AI yet.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.
First published July 12, 1:06 p.m. PT.
Update, 4:09 p.m.: Adds comment from Facebook.