3 million users exposed in another Facebook privacy scandal

May 16, 2018

After the embarrassing Cambridge Analytica fiasco, Facebook is obviously in damage control mode, trying its best to clean up its platform and assure its 2 billion-strong user base that it is improving its data security practices.

While millions of people have gone on to update their privacy settings and review their apps, if not deactivate or delete Facebook altogether, CEO Mark Zuckerberg has promised to rethink how Facebook is handling third-party apps and their access to user data.

It all started with a massive audit of all Facebook third-party apps but it looks like the wheels of the crackdown are now in motion.

But is this enough? As evidenced by this new leak, the amount of Facebook data that’s still floating out there can be bigger than we could possibly know.

myPersonality Quiz

The Facebook data of more than 3 million people who used a personality quiz was left publicly exposed online for years for anyone to view, according to a new report from New Scientist.

Researchers from The University of Cambridge (yep, them again) gathered the data from a Facebook quiz called “myPersonality” and made it available to other researchers through a website.

Although the data was locked with a username and password, New Scientist found that the credentials can be found online in less than a minute via a quick web search. Oops!

The username and password were apparently uploaded to code-sharing site GitHub about four years ago by a university lecturer and shared them with some of his students enrolled in a course on Facebook data processing. How appropriate.

The data collected is highly personal as it contains the psychological profiles of the myPersonality quiz takers including personality characteristics such as conscientiousness, agreeableness and neuroticism.

The data also contained 22 million status updates from 150,000 users as well as the age, gender and relationship status of 4.3 million people.

The dangers of anonymized data

The myPersonality quiz was created by David Stillwell in 2007 and it allowed Facebook users to take a real psychology exam and obtain their results instantly within the app.

According to the report, more than 6 million Facebook users took the myPersonality quiz from 2007 to 2012 and around 40 percent of the participants opted to share from their Facebook profiles.

All the data was then anonymized by having all associated profile names removed. The anonymized data was then uploaded to a website to share with other researchers.

More than 280 people were given access to the data, including other university researchers and tech companies like Google, Microsoft, Yahoo and Facebook itself.

However, while the data was anonymized, each user in the data set was given a unique ID, which linked data like gender, age, location, the test personality results and even status updates.

Given this wealth of linked information, data analysts said that de-anonymizing data can be easily done.

Shades of Cambridge Analytica

If all of this sounds all too familiar, well don’t be surprised, it mirrors the Cambridge Analytica fiasco all too closely.

Similar to the Cambridge Analytica scandal, wherein the data was acquired via a Facebook app called “this is your digital life,” myPersonalty’s data was also acquired from a Facebook personality test developed by University of Cambridge researchers.

Interestingly, the creator of “this is your digital life,” Professor Aleksandr Kogan, is also listed as a collaborator on the myPersonality app until 2014.

According to New Scientist, Stillwell disclosed that Cambridge Analytica actually approached the myPersonality app team in 2o13 for data access but the company was turned down due to its “political ambitions.”

Part of Facebook’s crackdown

myPersonality was suspended by Facebook on April 7 and it is among the 200 apps that were suspended for possible data misuse.

This is part of the promised app investigation and audit that Facebook CEO Mark Zuckerberg announced on March 21 during the height of the Cambridge Analytica scandal.

Facebook is also aware that the data’s login credentials were available on GitHub and it is already flagged in its new data misuse bug bounty program.

If Facebook’s investigation team finds evidence that myPersonality (or other apps) misuse data, they will be banned forever from the social platform. Similar to the Cambridge Analytica fiasco, affected users will be notified via this Facebook page.

Review your Facebook apps and think twice before using one

This is the main reason you should be careful about allowing third-party apps and websites to integrate with your Facebook account and exchange data with them.

You don’t really know what that little quiz, photo app, or game might do with all the Facebook data you gave them access to. While there is no denying that this integration can be convenient, it also has a big potential for abuse.

Some apps go beyond your basic profile info and ask for more data than they ought to. If you’re not careful about granting these permissions, an app can wind up mining even your most personal data.

With that said, now is the right time to check, review and audit your Facebook third-party apps. Throw out the outdated, delete the unwanted, kill the unused, remove all the suspicious apps lurking in your Facebook account as soon as you can.

Click here for the complete steps on how to review and deactivate your third-party apps on Facebook.

In related news, our old friend Prof. Kogan scooped Twitter data too

Now, the question is, what other social media sites did Kogan gain access to? It turns out that apart from Facebook, Kogan reportedly had access to at least another social media network’s public data. Click here to read the full story.

Tags: Facebook, Google, privacy, security, X (Twitter)