Facebook Has Hosted Stolen Identities and Social Security Numbers for Years

Cybercriminals have posted sensitive personal information, such as credit card and social security numbers, of dozens of people on Facebook and have advertised entire databases of private information on the social platform, Motherboard reports. Some of these posts have been left up on Facebook for years, and the internet giant only acted on these posts after the publication told it about them. From the report: As of Monday, there were several public posts on Facebook that advertised dozens of people's Social Security Numbers and other personal data. These weren't very hard to find. It was as easy as a simple Google search. Most of the posts appeared to be ads made by criminals who were trying to sell personal information. Some of the ads are several years old, and were posted as "public" on Facebook, meaning anyone can see them, not just the author's friends. Independent security researcher Justin Shafer alerted Motherboard to these posts Monday.

Better not look in Google, then

[xxxJonBoyxxx]

So...if Google cached results that contained full SSNs and other PII, aren't they as culpable as well? (And I'd imagine they're still in there...)

LinkedIN

[Anonymous Coward]

Why isn't anyone getting uptight over LinkedIN? They have our goddamn WORK history! Does anyone think that they aren't pimping out our data?
I remember having my profile looked at without ever seeing WHO looked at them. That was fucking creepy!

When an employer says they recruit from LinkedIN I pass them by - like GoodWill......

I 'canceled' my LinkedIN account and never had a facebook account. From what I've seen, that didn't make any difference.

Re:

[tlhIngan]

So...if Google cached results that contained full SSNs and other PII, aren't they as culpable as well? (And I'd imagine they're still in there...)

They do, and Google promptly removes it as well once notified. They even block the search.

There was a time Google was used to search for credit card numbers, and Google quickly got those eradicated from the search results and made it so the search doesn't actually work anymore.

Re:

[darkain]

NSA spying powers!

Re:

[greenwow]

Plus this is holding Facebook responsible for the actions of others.

isn't it time for some action from Congress?

[Alwin Barni]

I think it is time for more then just a public show of shamming in front of the Congress.

The best would be to decouple SSN from private lives and use it as it was intended to, just as your social security ID.

I would also add a requirement for any company to use up-to-date encryption standards when processing personal information and explicit permission of the mentioned when storing such information for longer then 'n' weeks (government agencies can be exempt from the explicit permission of course).

Yeah, that's how it works

[drinkypoo]

Some of these posts have been left up on Facebook for years, and the internet giant only acted on these posts after the publication told it about them.

Yes, Facebook depends on notifications to catch some illicit content. If they acted on those posts once notified, the system is working — except for the part where someone can use your SSN to get credit in your name. That part is broken, by design. However, that part isn't in Facebook.

You can play whack-a-mole with SSNs from now until eternity, or you can fix the credit problem, but you can't protect SSN's by playing whack-a-mole.

Re:

[Riceballsan]

I can't agree with the premise here... I hate facebook beyond anything, but we're still looking at the rough premise of "people are stupid and put things online that they shouldn't". We can't really solve that problem by forbidding people from posting anything. Destroy the internet is the only option that accomplishes that, which I'm not so in favor of

Re:

[parkinglot777]

It is what people do -- dumb things. If you want to be very careful, don't have a FB account at all. That's the only way to avoid the situation you mentioned.

Re:

[Ichijo]

If I tried to post an ad for illicit content in my local newspaper, the editors would catch it. Why can't Facebook do the same?

Re:

[Riceballsan]

The same reason that putting ads in your local paper is priced out of the range that people would ever use it for anything they weren't really concerned about. The paper is happy to charge you $50+ to put in a half a paragraph blurb. Facebook is made so that anyone with an e-mail address can publish photo's of every meal they eat without batting an eye. I hate facebook, I don't use them... but I at least understand what people who use it, want to use it for, but this is a crazy silly comparison. Newspapers

Re:

[Ichijo]

In order for facebook to do that, they'd need to hire a few hundred million people

That doesn't sound impossible, only expensive. Instead, Facebook chose to cut corners, betting that it would save them money over any fines and lawsuits they might have to pay.

Why should they not be allowed to lose that bet?

Now we're going to say they need to be spending MORE time looking at our posts?

Not all of our posts, just the public ones.

Safe barbor for haircuts

[Impy the Impiuos Imp]

If facebook actively searches for this stuff, they can't hide behind safe harbor legislation that merely requires removal of stuff when notified.

It'a like having a rustic forest with widowmaker branches hanging up there. Once you start pulling them down, you're screwed, and have to do it repeatedly lest you get sued. If you had left it alone and some idiot wandered through and got killed, that's their problem.

Old News

[mencik]

Brian Krebs reported [krebsonsecurity.com] on this a week ago, and then followed up with another story [krebsonsecurity.com] about how attempting to report more of them was rebuffed.

Deja vu?:

[Manqueman]

I’m sure they’ve apologized and promised to do better.