Published Date: 2018-03-20
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident related to Facebook's contact import tool vulnerabilities and the scraping of data from over 500 million users occurred prior to September 2019 [112959]. 2. The incident where millions of Instagram passwords were stored in plain text was discovered in January during a routine security review [83913]. 3. The incident involving the harvesting of private information by companies exploiting Facebook's terms occurred between 2011 and 2012 [69017]. |
| System | 1. Facebook's contact import feature failed, leading to the exposure of user data [112959]. 2. Facebook's password storage system failed, resulting in millions of Instagram passwords being stored in plain text [83913]. 3. Facebook's data protection system failed, allowing third-party companies to harvest private information of Facebook users [69017]. |
| Responsible Organization | 1. Facebook [112959, 83913, 69017] |
| Impacted Organization | 1. Over 500 million Facebook users had their profile names, email addresses, and phone numbers exposed due to the software failure incident [112959]. 2. Millions of Instagram users had their passwords stored in plain text, and about 1.5 million users had their email contacts harvested without permission [83913]. 3. Hundreds of millions of Facebook users had their private information harvested by companies exploiting Facebook's data-sharing policies [69017]. |
| Software Causes | 1. The failure incident was caused by a vulnerability in Facebook's contact import feature, specifically the "content importer" tool, which allowed attackers to scrape data from over 500 million users [112959]. 2. Another software cause was the storing of Instagram passwords in plain text format, making them accessible to Facebook employees [83913]. 3. The failure incident was also caused by Facebook's lax approach to data protection, allowing third-party developers to exploit terms of service and settings to harvest private user information [69017]. |
| Non-software Causes | 1. Lack of appropriate safeguards in place to protect personal information of users and non-users [112959] 2. Failure to enforce data protection measures and audits of external developers [69017] 3. Allowing developers access to Facebook users' friends' data without their knowledge or express consent [69017] |
| Impacts | 1. The software failure incident led to the exposure of the profile names, email addresses, and phone numbers of over 500 million Facebook users, causing a significant privacy breach [112959]. 2. The incident resulted in Facebook acknowledging lapses in privacy protection, including storing Instagram passwords in plain text and unintentionally harvesting email contacts of about 1.5 million users [83913]. 3. The failure incident contributed to a series of bad news for Facebook, damaging its reputation for privacy protection and raising concerns about its data-handling practices [83913]. 4. The incident highlighted Facebook's historical lax approach to data protection, as indicated by the whistleblower's warnings about potential data breaches and misuse of user data by third-party developers [69017]. 5. The software failure incident exposed the risks associated with Facebook's policies, such as allowing developers access to user data without proper oversight, leading to the unauthorized collection of personal information [69017]. |
| Preventions | 1. Implementing appropriate safeguards and security measures to protect user data, such as fixing known vulnerabilities in features like the contact import tool [112959]. 2. Conducting regular audits of external developers to ensure data is not being misused and enforcing data protection policies more rigorously [69017]. 3. Taking proactive steps to monitor and control the data shared with outside developers, including auditing developer systems and banning rogue developers if necessary [69017]. |
| Fixes | 1. Implementing stricter security measures and regular audits of the contact import feature to prevent vulnerabilities and unauthorized data scraping [112959]. 2. Enhancing user privacy controls and ensuring clear communication about how personal information is accessed and shared on the platform [112959]. 3. Conducting thorough investigations and promptly addressing any reported bugs or flaws in the software to prevent data breaches [83913]. 4. Enforcing strict data protection policies and ensuring that user data is encrypted and stored securely to prevent unauthorized access [83913]. 5. Taking proactive steps to monitor and regulate third-party developers' access to user data to prevent misuse and unauthorized data harvesting [69017]. | References | 1. Facebook's official statements and acknowledgments [112959, 83913] 2. Security researchers and experts [112959] 3. Reports from investigative bodies like the Office of the Privacy Commissioner of Canada and the Office of the Data Protection Commissioner of Ireland [112959] 4. Whistleblower Sandy Parakilas, former platform operations manager at Facebook [69017] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization | (a) The software failure incident having happened again at one_organization: - Facebook has faced similar incidents related to privacy and data breaches in the past. For example, in 2019, it was reported that millions of Instagram passwords were stored in plain text, and email contacts of about 1.5 million users were harvested without permission [83913]. - Facebook also had issues with its contact import feature in the past, where vulnerabilities were reported by researchers. These incidents highlight a recurring theme of privacy and security concerns within Facebook's services [112959]. (b) The software failure incident having happened again at multiple_organization: - The articles do not provide specific information about similar incidents happening at other organizations or with their products and services. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the incident where Facebook's contact import feature had known problems and supposed fixes over the years, leading to vulnerabilities that allowed attackers to scrape data from over 500 million users [112959]. (b) The software failure incident related to the operation phase is evident in the incident where Facebook unintentionally harvested the email contacts of about 1.5 million users over three years without their permission during the account sign-up process, showcasing a failure in the operation or misuse of the system [83913]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident related to the Facebook data leak and scraping incidents can be categorized as within_system. The incidents were primarily caused by vulnerabilities and issues within Facebook's systems, such as the contact import feature, the way data was handled, and the lack of appropriate safeguards to protect user information [112959, 83913, 69017]. (b) outside_system: The incidents also involved contributing factors that originated from outside the system, such as attackers exploiting the vulnerabilities within Facebook's systems to scrape data from over 500 million users. Additionally, the incidents involved issues related to third-party developers accessing and misusing user data, which can be considered as factors originating from outside the system [112959, 83913, 69017]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - In Article 112959, it is reported that over 500 million Facebook user profiles had their information scraped publicly online due to a vulnerability in Facebook's contact import feature. This issue was not directly caused by human actions but rather by a flaw in the software feature itself [112959]. (b) The software failure incident occurring due to human actions: - In Article 83913, it is mentioned that millions of Instagram passwords were stored in plain text, allowing Facebook employees to read them. This was a result of human actions or decisions within the company that led to the insecure storage of passwords [83913]. - Additionally, in Article 69017, it is highlighted that Facebook's lax approach to data protection, terms of service, and settings that were not properly enforced contributed to data breaches and the harvesting of private information by third-party companies. These failures were a result of human actions and decisions within Facebook [69017]. |
| Dimension (Hardware/Software) | software | (a) The articles do not provide information about a software failure incident occurring due to hardware issues. (b) The software failure incidents reported in the articles are primarily related to software issues. For example, in Article 112959, it is mentioned that Facebook had vulnerabilities in its contact import feature that allowed attackers to scrape data from over 500 million users. Additionally, in Article 83913, it is highlighted that millions of Instagram passwords were stored in plain text, which is an insecure format. These incidents point to software failures originating in the software itself. [112959, 83913] |
| Objective (Malicious/Non-malicious) | malicious, non-malicious | (a) The software failure incident related to the exposure of over 500 million Facebook users' data was primarily malicious in nature. Attackers were able to "scrape" Facebook by manipulating the contact import tool to extract sensitive data from user profiles [112959]. Additionally, a vulnerability report submitted in 2019 highlighted a bug in Instagram's contact import feature that could pull user data through a phone number enumeration attack, which was exploited by malicious actors [112959]. (b) The software failure incident related to the unintentional harvesting of Instagram passwords and email contacts of Facebook users was non-malicious. Facebook acknowledged that millions of Instagram passwords were stored in plain text, and email contacts of about 1.5 million users were collected without permission [83913]. These incidents were attributed to lapses in security practices and data handling by Facebook, rather than intentional malicious actions. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident related to poor decisions can be seen in the software failure incidents reported in the articles. For example, in Article 112959, it is highlighted that Facebook had known about vulnerabilities in its contact import feature for years but did not take adequate measures to prevent mass scraping of user data. Researchers had alerted Facebook to similar issues in the past, but the company did not prioritize fixing these vulnerabilities, especially when growth was at stake. This indicates a pattern of poor decisions by Facebook in addressing known software vulnerabilities [112959]. Additionally, in Article 69017, it is mentioned that Facebook's lax approach to data protection, including allowing developers access to user data without proper monitoring or control, contributed to data breaches and privacy violations. The platform operations manager at Facebook raised concerns about the risks associated with the data sharing practices and lack of enforcement mechanisms, but his warnings were not heeded by senior executives. This reflects poor decisions made by Facebook in handling user data and privacy protection [69017]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident occurring due to development incompetence: - The incident involving the exposure of Facebook user data was attributed to issues with Facebook's "content importer" feature, which had a history of known problems and supposed fixes over the years [112959]. - Researchers had alerted Facebook to similar issues in the past, indicating a lack of appropriate safeguards in place to protect user information [112959]. - Facebook's handling of user data and privacy settings, such as the contact import tool and privacy controls, raised concerns about the company's approach to addressing vulnerabilities and protecting user privacy [112959]. - The incident where Instagram passwords were stored in plain text was a result of a routine security review that discovered hundreds of millions of passwords stored insecurely, indicating a lapse in security practices [83913]. (b) The software failure incident occurring accidentally: - Facebook unintentionally harvested the email contacts of about 1.5 million users over the past three years, which was discovered when a security researcher noticed users being asked to enter their email passwords without permission [83913]. - The incident involving the exposure of Facebook user data through scraping was described as a result of attackers manipulating the contact import tool to access user information, indicating an unintended consequence of the tool's functionality [112959]. - The incident where Instagram passwords were stored in plain text was described as an oversight discovered during a routine security review, suggesting an accidental storage of passwords in an insecure format [83913]. |
| Duration | permanent, temporary | (a) The software failure incident reported in the articles is more of a permanent nature. The incidents mentioned in the articles highlight ongoing issues and vulnerabilities within Facebook's systems that have persisted over time. For example, the articles discuss how Facebook had known about vulnerabilities in its contact import feature for years before the recent data scraping incident [112959]. Additionally, the articles mention instances where Facebook stored passwords in plain text, unintentionally harvested email contacts, and allowed developers access to user data without proper controls [83913, 69017]. These recurring issues and failures indicate a more permanent nature of the software failure incidents. (b) However, there are also elements of temporary software failure incidents in the articles. For instance, the articles mention specific incidents such as the discovery of millions of Instagram passwords stored in plain text and the unintentional harvesting of email contacts of users over a three-year period [83913]. These incidents can be seen as temporary failures caused by specific circumstances or lapses in security protocols. |
| Behaviour | omission, value, other | (a) crash: The articles do not specifically mention a software failure incident related to a crash where the system loses state and does not perform any of its intended functions. (b) omission: The incident reported in Article 83913 mentions a failure related to the omission of performing intended functions. It describes how Facebook unintentionally harvested the email contacts of about 1.5 million users over the past three years without their permission [83913]. (c) timing: The articles do not mention a software failure incident related to timing, where the system performs its intended functions correctly but too late or too early. (d) value: The incident reported in Article 112959 describes a failure related to the system performing its intended functions incorrectly. It discusses how attackers were able to "scrape" Facebook by manipulating the contact import tool to return names, Facebook IDs, and other data users had posted on their profiles [112959]. (e) byzantine: The articles do not mention a software failure incident related to a byzantine behavior, where the system behaves erroneously with inconsistent responses and interactions. (f) other: The incident reported in Article 69017 highlights a failure related to the system behaving in a way not described in the options (a to e). It discusses how Facebook allowed developers to access the personal data of friends of people who used apps on the platform without their knowledge or express consent, leading to data harvesting by various companies [69017]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property | (d) property: People's material goods, money, or data was impacted due to the software failure In the reported software failure incidents related to Facebook, the property of users was impacted. Specifically, in Article 112959, it is mentioned that the profile names, email addresses, and phone numbers of over 500 million Facebook users were circulating publicly online due to a vulnerability in Facebook's contact import feature. This incident led to the exposure of sensitive user data, impacting the property of the affected individuals [112959]. Additionally, in Article 83913, it is highlighted that millions of Instagram passwords were stored in plain text, which could have allowed Facebook employees to read them. This insecure storage of passwords put the property (data security) of the users at risk [83913]. |
| Domain | information, finance, government | (a) The failed system was related to the industry of information, specifically social networking platforms like Facebook that involve the production and distribution of information. The incident involved the exposure of personal data of Facebook users due to vulnerabilities in the contact import feature [112959]. (h) The incident also has implications for the finance industry as it involves the mishandling of personal information, which could potentially lead to financial fraud or identity theft [112959]. (l) Additionally, the incident has connections to the government sector as it raises concerns about data privacy and protection, which are crucial aspects in politics, defense, justice, and public services [112959]. (m) The incident could also be related to the industry of technology or software development, given that it involves software vulnerabilities and failures in Facebook's contact import feature [112959]. |
Article ID: 112959
Article ID: 83913
Article ID: 69017