"In 2013, Brandon Copley, the CEO of Giftnix, was threatened with legal action after using the technique to demonstrate how personal information could be easily gathered at scale.<p>"Multiple Facebook profiles were extremely easy to scrape," he explains. In a series of conversations with Facebook security developers Copley explained the issue and was told there was "no security vuln here, even though it does seem like one on first glance."<p>The method of scraping can work in multiple ways but largely relies on feeding Facebook's API a list of phone numbers or email addresses that have been automatically generated. These could also have been obtained from data breaches or leaks of information online.<p>"Just query Facebook as often as possible until they ban your IP for querying too fast, and at that point you just slow down until the queries stop," Copley explained in an email. "I was doing my work purely for research and exposing the vulnerability for Facebook".<p>...<p>The issue was again raised by researchers in 2015.<p>Reza Moaiandin, who founded cybersecurity company CyberScanner, published a blogpost about the "loophole". he said he was able to gather thousands of users personal information by guessing their mobile numbers. Within this information were details of names, locations, and profile pictures.<p>In response Facebook told him it didn't "consider it a security vulnerability" but had controls in place to stop it being abused. Zuckerberg's most recent statement goes against this, admitting Facebook's efforts to stop malicious actors hadn't worked."<p>Source:<p><a href="http://www.wired.co.uk/article/facebook-news-data-scraping-mark-zuckerburg" rel="nofollow">http://www.wired.co.uk/article/facebook-news-data-scraping-m...</a><p>"A few months ago, I discovered a security loophole in Facebook that allows hackers to decrypt and sniff out Facebook user IDs using one of Facebook's APIs in bulk - therefore allowing them to gather millions of users' personal data (name, telephone number, location, images, and more). This post is an attempt to catch Facebook's attention to get this issue fixed.<p>By using a script, an entire country's (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details (images, and so on).<p>...<p>For those of you who are wondering why I haven't notified Facebook about the issue, the truth is that I have - back in April (2015).<p>Although I did receive a reply, initially the engineer I was in contact with was unable to reproduce the issue himself, and therefore failed to understand the technical details of how it should be <i>fixed</i>.<p>...<p>After a couple of months of waiting, I initially thought someone else will look into it and <i>fix it</i> but I heard nothing, so I raised the flag with them again. They finally came back to me and told me that this is not a big issue - they have set limits and I should not worry about this problem. But frankly, I am very worried.<p>...<p>Comment from reader:<p>Great blog post. I reported an almost identical issue (albeit a different API) to Facebook in January 2014 but faced similar difficulties getting them to recognise the scope for abuse. I was able to lookup contiguous blocks of mobile numbers (in blocks of 5,000 at a time) with no discernible rate-limiting - I could pull them down as fast as my connection could handle (maybe ~50k numbers/min).<p>If you make any headway with Facebook let us know and I will try pinging them again. It was especially worrisome as the number range I tried (NYC) had a hit-rate of about 20%."<p>Source:<p><a href="https://salt.agency/blog/facebook-security-loophole/" rel="nofollow">https://salt.agency/blog/facebook-security-loophole/</a>