Another Facebook data leak left the personal information of millions of users exposed online for anyone to access.
First reported by New Scientist, the leak is similar in many ways to the ongoing Cambridge Analytica crisis that saw a political data firm exploit the personal information of 87 million Facebook users. Like that incident, this latest leak involves a third-party personality test app developed by professors at Cambridge University.
The app, MyPersonality, gathered highly sensitive information about users, including their age, gender, status updates, and location and distributed it on an unsecured website to 280 researchers from 150 institutions including Microsoft, Facebook, and Google. More than 6 million people completed the test and around half of them agreed to share data from their profiles. The flood of information was supposed to be anonymized but responses and results were packaged together using a unique ID, making it easy to backtrack and determine who the data belonged to. If this process was automated, data could quickly be linked to millions of names.
“This type of data is very powerful and there is real potential for misuse,” Chris Sumner at the Online Privacy Foundation, told New Scientist.
Researchers had to register as collaborators to the project to access the full data set. However, a backdoor made it easy for any bad actor to steal the information, even those without an academic contract. For four years, the username and password needed to download the data sat open to the public on Github. The credentials were reportedly passed from a university lecturer to students for a course project on Facebook data management. It appears one of the students included the login information in a public GitHub repository that could be found with a simple web search. New Scientist confirmed gaining access to the information was “relatively easy.”
In total, the leak left 22 million status updates from 150,000 users, along with the age, gender, relationship status, and personality test details of 4.3 million people exposed.
The app’s creators, David Stillwell and Michal Kosinski, reportedly were involved with a company called Cambridge Personality Research, which sold a tool for ad targeting based on myPersonality data sets.
While separate incidents, there are many ties between this latest leak and the incident involving Cambridge Analytica. Aleksandr Kogan, the Cambridge University professor who developed the “This is Your Digital Life” app at the heart of the data harvesting scandal, was reportedly involved with MyPersonality until 2014. Facebook suspended the app last month amid a crackdown on third-party apps that violate its privacy rules. Its website has been taken down and the password and login from Github no longer work. Stillwell’s website and Twitter account were also mysteriously deleted.
It’s important to note that unlike Kogan’s, this app did not sell information to researchers or institutions. While researchers from commercial companies could access the data, they were forced to agree to strict data protection policies. Cambridge Analytica, the firm that purchased from Kogan’s app, approached the MyPersonality team for its data but was supposedly turned down.
It’s not clear how many outside parties used the exposed credentials to access the data or what they might have done with it. The Information Commissioner’s Office, the U.K.’s data watchdog group, is investigating the incident.
Facebook announced today that after reviewing “thousands” of apps, it has banned around 200 pending a “thorough investigating” into whether their developers misused user data. The action is just phase one of its Cambridge Analytica cleanup, which could take years.