Meta Doesn’t Want Your Data to End up in Hacker Databases

And it's willing to pay for it

Key Takeaways

  • Meta has expanded its bug bounty program to fortify its platform and users against data scrapers.
  • Data scraping has led to hackers amassing information of over 300 million users in the past.
  • Meta claims it’s the first one to reward researchers for their help to reign in data scraping.
3D illustration Rendering of people connection technology concept, Futuristic Abstract background for business Science and technology

MR.Cole_Photographer / Getty Images

Would it surprise you to know that automated programs sweep social media platforms like Facebook to harvest any publicly accessible information and collate them inside databases? Individual pieces of information might not be of much use, but together they can enable hackers to perpetrate all kinds of digital crimes, such as credential thefts and phishing attacks. And Meta has had enough of it.

While the social network itself takes steps to catch and curtail these automated programs called scrapers, the platform has now decided to enlist the help of independent security researchers by expanding its bug bounty programs. Its goal is to not just fix the bugs that leak such details about its users but also to help find such databases that hold scraped information.

"The bug bounty program will help fill the gaps in Facebook's defenses against scraping and alert Meta to scraped databases that surface on the web," Paul Bischoff, privacy advocate and editor of Infosec research outlet Comparitech, told Lifewire over email.

The Scraping Menace

Meta referred to scraping as an "internet-wide challenge" as it announced the expansion of its bug bounty program, which was initially designed to find software glitches in the code that powers the platform. 

According to Bischoff, many platforms have outlawed the use of scrapers, even for the information they hold that's publicly accessible. That's because personally identifiable information (PII), such as usernames, birthdates, email addresses, and location, are often used by bad actors to target users in elaborate social engineering campaigns.

The bug bounty program will help fill the gaps in Facebook's defenses against scraping and alert Meta to scraped databases...

However, Bischoff adds that Facebook has struggled to distinguish between scrapers and legitimate users, which has resulted in huge data leaks in the past. He specifically points to the leak that surfaced in March 2020 when Comparitech teamed up with security researcher Bob Diachenko, and discovered a database that contained the user IDs and phone numbers of over 300 million Facebook users. 

But scraping isn't outright illegal—at best it exists in a techno-legal gray area since it does have legitimate uses as well.

"Even though scraping is against Facebook's terms of use, it's not strictly illegal. Some scraping operations are malicious, but others are academic, or journalistic," clarified Bischoff.

Wanted DOA

In its announcement of the expansion of the bug bounty program, Facebook mentioned that since its inception, the bug bounty initiative had awarded over 800 bounties, totaling over $2.3 million to researchers from more than 46 countries. Tackling "new challenges" such as scraping was a natural extension of the program.

Even though scraping is against Facebook’s terms of use, it's not strictly illegal.

According to Meta, the expanded bug bounty program will reward security researchers on two fronts. 

One, as part of its larger security strategy to make scraping harder and "more costly" for threat actors, Meta will award reports about bugs in its platform that bad actors can exploit to bypass the barriers it's erected to dissuade scraping. 

Secondly, the platform said it'll also award data bounty hunters who inform it about unprotected databases available online that contain the scraped PII of at least 100,000 unique Facebook users. 

"If we confirm that user PII was scraped and is now available online on a non-Meta site, we will work to take appropriate measures, which may include working with the relevant entity to remove the dataset or seeking legal means to help ensure the issue is addressed," Meta noted in the announcement.

Crowd of people on network connection lines

Yuichiro Chino / Getty Images

It added that if the scrape was because of a misconfiguration in the application of an external developer, the platform would work with the developer to plug the leak. On the other hand, it'll also make efforts to ensure that the hosting service where the hackers have housed the scraped database takes it down.

The rewards for the scraping bounties start at $500, and while the scraping bugs entail monetary payouts, information about scraped databases will be awarded in the form of charity donations to nonprofit organizations of the reporters' choosing. 

"To the best of our knowledge, this is the first scraping bug bounty program in the industry," Meta summed up. "We will work to address feedback from our top bounty hunters before expanding the scope to a greater audience."

Was this page helpful?