A private Facebook group for women who are carriers of the BRCA breast cancer gene discovered that marketers were able to harvest their names and personal information because of a Facebook privacy loophole.
Christina Farr and Kate Fazzini of CNBC report on the Facebook Groups vulnerability that allowed third parties to discover real names and other info on people in closed groups, then download the info en masse.
“That's not good for those in private patient communities,” says Farr of the privacy vulnerability.
Marketers were able to harvest names and other information of the people in this group, who by joining the group, identified themselves as BRCA carriers or likely carriers.
The group's leader identified a Chrome browser plug-in for marketers that appeared to allow then to discover names and other information for members of private, closed groups. She contacted a security researcher who confirmed her suspicion.
Facebook has closed the loophole, and the Chrome plug-in has been discontinued.
On June 20, Trotter and the BRCA members received a response from Facebook, which included an acknowledgement that member lists for these closed groups were available publicly. According to the Facebook response provided by Trotter, a company representative said: "Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members. That work is ongoing and may lead to changes that address some of your concerns going forward."
A Facebook spokesperson confirmed the interaction and said the company continues to emphasize its commitment to the groups concept in allowing individuals to share sensitive experiences.
Members of the BRCA group replied to Facebook that they were dissatisfied with the response on June 26. By June 29, the ability to harvest details in this way was shut down on Facebook, according to Trotter and Downing.
Did Facebook really shut this privacy leak down? Looks like it.
CNBC contacted three other security professionals who verified that the ability to download member information from "closed" groups was once enabled, but now appeared to be unavailable.
Below, a related story shared on Twitter.
One of the largest closed support groups for 15,000 survivors of sexual assault was hacked this week. Instead of dealing with the hackers, Facebook chose to delete the entire group.
— Brave Bosom (@BraveBosom) July 11, 2018
Over the course of several hours, these hackers taunted these women. Threatened them. And it is very possible that they may have scraped their data to continue the abuse now that the group is deleted.
— Brave Bosom (@BraveBosom) July 11, 2018
This goes beyond cyber-bullying. It is digital abuse and suppression on a scale not seen before in history. Here is one of many screenshots they have before the group was deleted. pic.twitter.com/UwdAxkyZQz
— Brave Bosom (@BraveBosom) July 11, 2018
What we're witnessing is dangerous. For the hackers, this isn't just about victimizing these women. It's about making sure no one is sure who/what they can trust. And for Facebook, it's about choosing to delete the evidence of what happened.
— Brave Bosom (@BraveBosom) July 11, 2018