The secret recruitment process of a Russian-speaking soap opera actor led to Facebook exposing over 3,000 users’ personal data to the high-profile manager of one of the country’s biggest spy agencies.
An internal Facebook app, produced for Russian Federal Security Service (FSB) to promote recruitment of Russian-speaking entertainers, collected biographical information on almost 3,000 people.
Specifically, the app requested, among other data, the user’s gender, location, birthday, email address, employer, relationship status, language spoken and types of social media accounts used.
The leaked list of customers, dated March 8, 2018, has the names, employers and descriptions of applicants for the recruitment app as well as phone numbers and direct messages used by other users.
“The full sequence of data requests made by the Facebook app server was unique, and the information previously obtained from third parties through external data access portals or other forms of access is not available on the Facebook app server,” Facebook said in a statement released December 21.
The server was dedicated to a company called “Moscow Tor Project,” meaning agents were able to import their personal data into the app, bypassing the use of third-party data to recruit.
An internal investigation by the Russian hacking organization, Fancy Bear, recently gained access to the secret app in question, and it was shared with the St. Petersburg-based security research firm Six4Three, which recently obtained the list from a whistleblower.
The leaked data hit users while the app was temporarily banned by Facebook.
“The exposure of the information allowed the recruiting agency, located in St. Petersburg, to reach hundreds of agents online, recruit and bring them to its front offices for a personal interview. This resulted in enlisting about 100 of these agents in the agency,” Six4Three’s Russia researcher Alexandra Zhuratova wrote in a December 19 post in the official Bug Report blog.
Following the revelation, Facebook says the personal data of these 3,000 affected users was secured and has been in the “deleted” system for up to 180 days.
Facebook has also launched a new program to help people and companies safeguard their data, and the data used by Russia’s spying agency is being removed from its system entirely.