Facebook Software Bug Made Some Private Posts Public: 14 Million Affected

A Facebook software bug in May switched the “suggested audience” for posts to “public” for 14 millions of users. The glitch meant Facebook users who though they were sharing content with just friends or small groups actually made their posts available to the general public. The incident is the latest privacy gaffe for the social media company that has faced a stream of backlash from data privacy problems since March.

Facebook said users impacted by the glitch, which occurred between May 18 to May 27, will be notified. It said affected users that had their privacy settings inadvertently changed will be reverted  to their previous privacy settings. 

We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts,” Erin Egan, chief privacy officer at Facebook, said in a post on Thursday. “We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before – and they could still choose their audience just as they always have. We’d like to apologize for this mistake.

This bug occurred as Facebook was building a new way to share featured items on users’ profiles, Egan said. “Since these featured items are public, the suggested audience for all new posts – not just these items – was set to public,” she said. 

To be clear, no existing private posts were changed to be public, a Facebook spokesperson told Threatpost. The bug only changed the Facebook composer settings to “public” during the 10-day window. That meant privacy settings for existing Facebook posting had not changed. According to Facebook, it became aware of the glitch on May 22.

Impacted users received a notice asking them to review Facebook posts they made during the time – and if they posted publicly, they’ll see a notification when they log in leading to a page with more information.

The security hits seem to just keep coming for Facebook, which has faced backlash after an acknowledgement in March that since 2015 a third-party application had handed over the data of up to 50 million platform users through developer Aleksandr Kogan to Cambridge Analytica – a consulting group that has worked on several high-profile political campaigns, including that of President Donald Trump’s.

Just earlier this week, a New York Times article alleged that Facebook struck deals enabling phone-makers to access users’ personal information. The article, posted Sunday, said Facebook reached data-sharing partnerships with at least 60 device-makers — including Apple, Amazon, Microsoft and Samsung — over the last decade. 

While these deals enabled the vendors to offer customers integrated features with Facebook, such as messaging and address books, the New York Times said that it found that they could also access the data of users’ friends without their consent.

Experts in the IT world think that Facebook, and other social media platforms, need to be better aware of the importance of data not to their business, but to their users. 

“It is important that these platforms clean up their image and be more responsible with their users’ data,” Andrew Avenassian, chief operations officer at Avecto told Threatpost. “Despite Facebook’s efforts to resolve the issue through third-party data restrictions, social media users still need to be vigilant about where they are authorizing their data. Data harvesting will continue to be an issue no matter what the initiative is to fix it.  Ideally, no personally identifiable data should be collected in my opinion.”

Social media platforms need clear, regular and transparent communication with consumers, Ojas Rege, chief strategy officer of MobileIron, told Threatpost in an email. He added, they also need a strict vetting processes for any data exchanges between partners.

“Every platform needs to take this incredibly seriously,” Rege said. “I don’t know how different platforms are structured technically but the learnings here should be absorbed and responded to by all.”

Facebook stressed on Thursday its efforts around transparency in an effort to rebuild trust with users and the tech community.  

“We’ve heard loud and clear that we need to be more transparent about how we build our products and how those products use your data – including when things go wrong. And that is what we are doing here,” Egan said.