NEW YORK (CNNMoney.com) -- Public but personal details from more than 170 million Facebook profiles were harvested from the site and made available in a downloadable torrent file this week.
Ron Bowes, a security researcher and blogger, wrote a software program to scan Facebook's public directory of profiles. Users can choose to opt out of that directory, but most stick with Facebook's default setting and allow their name and a few other personal details to publicly searchable.
"Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details," Bowes wrote on his blog at SkullSecurity.org.
Bowes' exploit did not involve breaching users' privacy settings or obtaining any passwords, and all of the information he gathered is openly available on Facebook's site. However, the sheer size of his data haul is significant: Bowes' chunky 2.8 gigabyte file includes names and URLs for 171 million Facebook profiles. Facebook has an active user population of 500 million.
Bowes created a torrent for his cache, making it available through sites such as Pirate Bay. He also did some preliminary data mining: Facebook's most-common user name is "jsmith," and the most popular first names on the site are Michael, John and David, Bowes found.
While Bowes called the information's easy accessibility "a scary privacy issue," Facebook downplayed his exploit.
"This information already exists in Google, Bing, other search engines, as well as on Facebook. No private data is available or has been compromised," Facebook said in a statement. "Similar to the white pages of the phone book, this is the information available to enable people to find each other, which is the reason people join Facebook."
The company reiterated that its privacy controls allow users to adjust their settings so that they do not appear in a search on Facebook or through search engines.
Though the information Bowes culled is public, his approach still violated Facebook's terms of service. The site prohibits collecting user information "through automated means," which includes harvesting scripts like the one Bowes created.
Facebook is typically aggressive in cracking down on policy violators. The company said Wednesday that it deleted all applications created by Pencake, a top outside developer whose widgets were used by 45 million Facebook members, because Pencake broke Facebook's rules.
But Bowes doesn't seem concerned. He's already planning the next phase of his Facebook data dive. Bandwidth constraints stopped him from gathering users' public photos and other openly available details, this time around."So far, I have only indexed the searchable users, not their friends," he wrote in his blog. "I'd like to tackle that in the future, though, so if anybody has any bandwidth they'd like to donate, all I need is an ssh account and Nmap installed."
Source: CNN Money