Facebook data breach may have included private Messenger chats

To say that Facebook has been a hot mess lately would be an understatement. The scandal surrounding the Cambridge Analytica data breach has been… complicated. And recent reports suggest that Facebook may be digging itself into an even deeper hole.

The Verge reports that the data collected by Cambridge Analytica likely included private user conversations from Messenger. A report detailing the key points of the scandal mentions the problematic nature of the network’s Graph v1.0 API and how it handled permissions. Apparently the API allowed the collection of large amounts of data on individual users, including their friends’ information, through Facebook Messenger. All that was needed was a single command.

Editor's Pick

“Once authorized with a single prompt, v1.0 app could potentially remain in the background collecting and processing people’s data  —  and that of their entire friend network  —  for years. Additionally, v1.0 apps could also request users’ private messages (i.e. their Facebook DM inbox) via the “read_mailbox” API request.”

The scope of the data collected from this prompt included a users’ friends’ about me, check-ins, birthdays, locations, work history, and much more.

Cambridge analytica Facebook Messenger

The table shows the scope of the data apps could collect via the Graph v1.0 API.

According to a notification send out by Facebook, users who downloaded the This Is Your Digital Life app were the one’s initially targeted by the breach. The app was created by Aleksander Kogan, a researcher at the University of Cambridge. It was used to collect data on Americans, and was able to do so just by users simply granting the app permission to access their profile. That data was then passed on to an affiliate of Cambridge Analytica.

While many Facebook profiles were affected, the problem may not have affected all that many users on Messenger. Facebook told Wired that only about 1,500 users granted permission to the app through Messenger. Still, as we’ve learned, friends of those who granted the app permission were also affected by the breach. As with Messenger, anyone who sent or received messages from those effected could be impacted as well, so that number could be much bigger than Facebook is admitting.

Since 2015, Facebook has been using the newer v2.0 API which grants apps much less access. The company has also been working on changing Instagram’s API to limit the amount of data that developers can collect. While the move isn’t a popular one with developers, it ensures Facebook commitment to control the situation and reassure users that it is making the right moves to protect user data.

While Facebook tries to put out this growing fire, the social network has set up a section within the help center that lets users check to see if their profiles may have been effected. You can access that page here.

Facebook founder and CEO Mark Zuckerberg is testifying before Congress as of this writing, answering questions about everything from privacy on the social media behemoth to whether Facebook is addictive. We’ll keep you updated as this multi-pronged story develops.

Leave a comment