The Facebook “Find Your Account” page is designed as service to help users recover the passwords or email addresses associated with their log in. The only problem: any user can enter information about any other user, and uncover potentially revealing information.
Author Adam Tanner put the feature to the test for a story in Forbes, and uncovered personal information about randomly selected people, including Facebook profile photos and clues about his target’s email addresses.
“This is an interesting case where a feature aimed at giving users a better service actually exposes their private data,” said Michael Bar-Sinai, a software engineer at Harvard’s Institute for Quantitative Social Science.
An unnamed Facebook spokesperson issued the following response:
For its part, Facebook told Tanner that users can take control of their own privacy and change their settings so that they can’t be found. However, Tanner soon proved that inaccurate.
“If you use the password recovery feature to search for someone who has modified these settings such that you can’t look them up using this information, you will see only ‘Facebook User’ and will not be able to view their name, profile photo, or networks,” a Facebook spokesman said.”
In response, Tanner targeted the spokesperson by seeking them out through the feature. He found a partially obscured email address that, using context clues, he could easily guess. Even though it’s intended as a helpful feature, Find Your Account presents some big privacy issues for Facebook that could prove difficult to address.
Privacy Tip – create a totally separate email address just for use with Facebook and don’t list any of your primary email addresses as alternates on the platform.