Facebook members bare all on networks, Sophos warns of new privacy concerns

October 02, 2007 Sophos Press Release

IT security and control firm Sophos is urging Facebook to improve its default privacy settings following new research that revealed members are unwittingly exposing their personal details on a mass scale to millions of strangers, putting themselves at risk of identity theft.

Sophos took a random snapshot of 200 users in the London Facebook network, which is the single largest geographic network on the site, with more than 1.2 million members, and found that a staggering 75 percent allow their profiles to be viewed by any other member, regardless of whether or not they have agreed to be friends. Sophos has seen evidence that Facebook users in other geographic regions are similarly exposing personal information to complete strangers, and notes that as some regional networks are very large (Toronto has more than 866,000 members, Vancouver more than 476,000, New York more than 421,000) indicates how enticing this social networking site can be for cybercriminals.

Joining a Facebook network can expose your information to hundreds of thousands of strangers
Joining a Facebook network can expose your information to hundreds of thousands of strangers.

Facebook is made up of thousands of networks worldwide, and users are encouraged to join them in order to meet and make friends with people in their area. Even if you have previously set up your privacy settings to ensure that only friends can view your information, joining a network automatically opens your profile to every other member of the network. Sophos experts note that this is a worrying situation, particularly given the growing popularity of these networks. For instance, in May 2007, there were just 375,000 Facebook members in the London network, a three-fold increase in just four months means that an unprecedented amount of personal and corporate information is now available for strangers to view.

"I was flabbergasted when I joined a network on Facebook using a profile which I thought was secure, only to find Facebook had changed a number of settings and was opening me up to millions of strangers," said Graham Cluley, senior technology consultant at Sophos. "Who was to say that cybercriminals weren't in that network too? Is it right that Facebook works this way?"

Facebook changes users' privacy settings to reveal their profiles to strangers when they join a regional network
Facebook changes users' privacy settings to reveal their profiles to strangers when they join a regional network.

Worryingly for businesses, 25 percent, which could equate to as many as 300,000 users in the London network, revealed information relating to their work - details that could potentially be used by cybercriminals in their attempts to commit corporate ID fraud or to infiltrate company networks.

"While Facebook's privacy features are far more sophisticated than competing social networking sites, too many members still aren't getting the message about how to use them effectively to help protect against ID theft," continued Cluley. "Facebook has ultimately put these privacy options in place to protect its flock so perhaps it's time for the networking phenomenon to take the next step and change its default settings so that when members join a network, they have to actively click to leave their details on show, rather than automatically letting it all hang out online."

The research further highlights that 54 percent of users in the London network show their full date of birth; vital information for cybercriminals wishing to commit identity fraud. One percent, which equates to 12,000 people, are divulging their phone number to over a million strangers. While smaller networks may not pose as great a threat as the massive London circle, each one - whether regional, work or college related - presents a significant risk to members that fail to check and amend their privacy settings.

"The Facebook network issue almost amounts to identity-on-demand for cybercriminals, who are fully capable of taking advantage of unwitting Facebook fans. It's crucial that users take a few minutes to look at their privacy settings before getting caught up in the undisputed fun of Facebook," concluded Cluley.

Recently, Sophos published research showing that 41 percent of Facebook users were prepared to divulge personal information to a complete stranger (a small plastic frog called Freddi Staur - an anagram of 'ID Fraudster').

Simply click on the arrow above to stream the podcast through your browser. Alternatively you can download it to your MP3 player.

Sophos recommends companies protect themselves with a consolidated solution which can control network access and defend against the threats of spam, hackers, spyware and viruses.