Facebook breach shows "we share too much and think too little"

(CBS NEWS) -- Facebook's (FB) acknowledgment that all 2 billion of its users likely had their information "scraped" without their knowledge or consent should serve as a wake-up call to consumers. Watch what you share -- not just on social media, but also on apps and in online quizzes.

"People are giving out enough pieces of personal information to create a new identity, and you can't count on the federal government -- or companies -- to protect it," said Steven Bearak, chief executive of Identity Force.

Indeed, in the past few months, consumers have been barraged with information about how their personal information has been compromised and misused, from helping Russian bots share political disinformation on Facebook to helping advertisers glean everything from their weight loss goals to their political leanings and likes.

However, few people realize that the data breaches they hear about are a mere fraction of the total. According to the Identity Theft Resource Center, more than 270 verified data breaches occurred in just the first three months of 2018. With most of them -- even some that affected millions of consumers -- the companies aren't required to disclose the scope or severity of the breach.

"We know that the [publicized breaches] must have hit a threshold that required disclosure by law, but that's all we know," said Eva Velasquez, president and chief executive of the Identity Theft Resource Center in San Diego. "They don't even necessarily tell you what information was compromised. And that's really important. If it's a credit card number that was compromised, I'm going to tell you to do different things to protect yourself than if it was your Social Security number."

Still, because Facebook has such a sweeping reach, many experts believe revelations about the social network's privacy gaffes could prove to be a watershed moment that will help expose the amount of data that people are sharing inadvertently.

"We share too much and think too little," said Velasquez.

For instance, chances are you've taken a quiz on Facebook -- or copied and pasted a friend's message that urges you to "share this if you have ever been affected by cancer" or "if you have a daughter you love" or "if you know someone who has been hurt by mental illness." 

Any of these could be planted by data miners who want to know granular details about who you are, how you live and the types of things you'll respond to, said Chet Wisniewski, principal research scientist at Sophos, a computer security and data protection company.

"'Which Star Wars Ewok are you?' It sounds cute and fun, but these quizzes are used to get you to open up your account so that they can steal your information," Wisniewski said. "For many people it's been life-changing to have access to friends and relatives around the world through Facebook. But sadly, the way the game is played is that you give up all of your personal information for the right to use these services."

Worse, he said, some of the information you give up is the same sort that banks regularly use to identify you -- your birthdate, for instance. And many quiz questions correspond to the security questions that banks, brokers and other financial services firms use to help you retrieve lost passwords: Who was your best friend growing up? What's the name of your first pet? What street did you grow up on? 

Provide too much of this information, and you could be giving crooks the final key needed to break into your financial life.

Take action

Although you can't control what happens to information that has already been scraped and sold, you can take steps to reduce personal damage from future data breaches.

Wisniewski suggests, for instance, that you delete any information on Facebook that you don't want shared with potential crooks, including your birthday. If you can't get yourself to delete that information -- because you love getting all the birthday messages -- at least revise your privacy settings. And don't forget to look at the settings that provide information to the outside applications that connect through Facebook.

The recent revelations about Cambridge Analytica, for instance, revolve around an app called "thisisyourdigitallife." It not only took personal data from the 270,000 users who willingly signed up for its online personality test, but it also scraped the profiles of users' friends, which is how it plundered information from millions of people without their permission.

How do you secure your privacy settings?

Use Facebook's drop-down arrow at the top right of the screen to find and click on Settings. Then click on the "privacy" tab to review how your personal information is currently being shared.

Once you've edited your privacy settings, click on the "Apps and Websites" tab for a list of applications connected to your account.

To see what permissions these apps have been granted, put the app's name in the search bar and click. That will bring up what this app is authorized to do. You can then edit those permissions or delete the app entirely. If you delete it, you can also have the app remove any posts it has published on your behalf. You can also turn off the ability to have any app interact with you on the site.

Notably, this exercise helps, but it doesn't completely protect you from privacy violations. Other online companies from social networks to Google (GOOG) are also collecting information on you -- from the things you share on the websites you visit to the songs you play on Alexa. It's almost impossible to avoid this sharing without becoming a digital hermit, said Wisniewski. 

If you don't want to end all online activity, you should at least be aware that anything you post or publicly search for goes into the public domain.

"When you post something, you're giving up your privacy," said Bearak. "You need to be aware that this information doesn't really belong to you, and it may be used for other purposes."

Share this article: