Skip to content
Naked Security Naked Security

Facebook bug may have made 14m users’ posts public

Facebook's been moving fast and breaking things again.

The latest Facebook privacy SNAFU (Situation Normal, All Facebooked Up) is a bug that changed settings on some accounts, automatically suggesting that their updates be posted publicly, even though users had previously set their updates as “private”.
On Thursday, Facebook asked 14 million users to review posts made between 18 May and 22 May: that’s when the bug was changing account settings. Not all of the 14 million users affected by the bug necessarily had their information publicly, mistakenly shared, but best to check.
Facebook Chief Privacy Officer Erin Egan said in a post that as of Thursday, the company had started letting those 14 million people know about the situation. She stressed that the bug didn’t affect anything people had posted before that time, and even then, they could still have chosen their audience like they always have.
Normally, the audience selector is supposed to be sticky: every time you share something, you get to choose who sees it, and the suggestion is supposed to be based on who you shared stuff with the last time you posted. Friends only? Fine, that’s what should be automatically suggested for the next post, and the one after that, until you change it… or a weird little glitch like this pops up.


Egan said that the bug popped up as Facebook was building a new way to share featured items on profiles, like a photo for example. Featured items are automatically set to “public,” so the suggested audience for all new posts – not just these items – was also set to public, she said.
The glitch is now fixed. Facebook also changed the sharing audience back to what affected people had been using before. Facebook’s letting people know, and asking them to doublecheck the fix, “out of an abundance of caution,” Egan said.
You’ll know if you’re one of the 14 million if, when you log in, you see a notification that leads to a page with more information, including a review of posts during the 18-22 May period.
The audience selector bug reminds us of Facebook’s old motto, “move fast and break things”, and comes at a time when the company’s handling of user data has also been reminiscent of the Facebook of old.
Privacy-wise, Facebook’s spent the past few months dealing with a string of revelations since Cambridge Analytica kicked things off in March.
This week has also seen Facebook defending itself for giving deep data access to device makers, dubbing them “insiders” – a move that places them above its own restrictions against sharing with third parties. And – in just the last few days – one of those device makers turned out to be Huawei, a Chinese firm flagged by US intelligence officials as a national security risk because of its alleged ties to China’s government.
As far as this bug goes, Egan’s take is, essentially, ‘We broke something else, but hey, at least this time, we’re being upfront about it’:

We’ve heard loud and clear that we need to be more transparent about how we build our products and how those products use your data – including when things go wrong. And that is what we are doing here.

In an ocean’s worth of thumbs-down, here’s a thumbs-up on the transparency, Facebook.

1 Comment

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?