It’s a busy day for Facebook: CEO Mark Zuckerberg is scheduled to testify about the site’s (many) vulnerabilities before Congress — part one of a three-day-long apology tour — and earlier this morning, the company officially informed all 87 million users whose personal data was harvested by political consulting and data analytics firm, Cambridge Analytica, of their affected status. Turns out, potentially malicious third-parties weren’t just able to get their hands on users’ likes and profile information without explicit permission, but their private messages, too.
That figure includes those who logged into the (now notorious) app “This Is Your Digital Life,” and those who didn’t, though the majority of the affected users belong to the latter camp. The app, a personality quiz designed by researcher Aleksandr Kogan, obtained the personal info of over 87 million users by exploiting a feature in Facebook’s API which allowed it to gain access to not only the data of the user, but that user’s friends’ data, too.
“We have banned the app ‘This Is Your Digital Life,’ which one of your friends used Facebook to log into,” said one of Facebook’s mobile notifications. “We did this because the app may have misused some of your Facebook information by sharing it with a company called Cambridge Analytica. In most cases, the information was limited to public profile, Page likes, birthday, and current city.”
Though the more detailed version of the breach notification indicates that wasn’t all Cambridge Analytica had access to.
“A small number of people who logged into ‘This Is Your Digital Life’ also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you. They may also have shared your hometown.” [Emphasis ours.]
Cambridge Analytica was likely able to access this information by exploiting the extended permissions and authorizations made available to app developers through version 1.0 of Facebook’s Graph API, which allowed apps to easily request access to huge swaths of data about a user’s friends without explanation or reasoning. As noted by professor and researcher Jonathan Albright, “v1.0 apps could also request users’ private messages (ie, their Facebook DM inbox) via the ‘read_mailbox’ API request,” meaning, the app would then have access to all of a user’s messages with other Facebook users, despite the fact that the latter party didn’t consent to the access.
You can check your own Facebook profile’s status, here.
Update 04/10/2018 2:10PM: In a statement to Wired, Facebook said that "a total of 1,500 people granted This Is Your Digital Life [read_mailbox] permission, although the total number of people affected remains unknown." This article's headline has been updated to reflect this.