Facebook says a recent spam campaign that masqueraded as emails from the recipient’s Facebook friends was the result of what it deemed a “temporary” server misconfiguration.
The error allowed spammers to harvest public data from user’s friends list. The spammers took the information and used compromised email accounts to launch the campaign. In a statement to NBC News, Facebook said:
To help protect our users, we’ve built enforcement mechanisms to quickly shut down malicious Pages, accounts and applications that attempt to spread spam by deceiving users or by exploiting several well-known browser vulnerabilities. We have also enrolled those impacted by spam through checkpoints so they can remediate their accounts and learn how to better protect themselves while on Facebook.
Beyond these protections, we’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people. In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that seeks to identify those responsible for spam and works with our legal team to ensure appropriate consequences follow.
This incident is a good example of why it is not a good idea to make any of your personal info public on Facebook or any other site. This includes the “friends of friends” setting.
The company was quick to point out that the error has been fixed, no accounts were compromised and no private data was accessed. Whether users will trust enough to take Facebook’s word for it remains to be seen. Facebook says they are continuing to investigate the incident and insist it was a solitary and isolated incident.