Dev builds database of Facebook emails and phone numbers with public info

facebookshieldIs your phone number public on Facebook? If it is, there’s a chance Brandon Copley has it.

According to a report by TechCrunch, Copley, a mobile developer in Dallas, Texas, used developer access to Facebook’s Search API to create a database that encompasses 2.5 million users. Many of those users have an email or phone number associated with them, acquired by Copley.

Copley didn’t need to exploit any security hole to get access to that data, either. It’s all publicly available, and according to Facebook, everything is working as intended on their end.

“The ability to search for a person by phone number is intentional behavior and not a bug in Facebook,” a spokesperson for the company said in an email to GeekWire. ”By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page.”

Copley told TechCrunch that his work was supposed to draw attention to the fact that thousands of people leave their phone numbers exposed to the public without knowing it, and doing so constitutes a major security risk.

Facebook has systems in place to prevent scraping of the sort that Copley did, and, according to its spokesperson, those systems kicked in successfully.

“Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked,” the spokesperson said.

In addition to blocking Copley, Facebook’s lawyers have also gotten in touch with him. According to the article, the company’s legal team has sent Copley a cease-and-desist letter, including instructions to have him provide the details for how he acquired the data.

When thinking about privacy settings on Facebook, it’s easier to consider the peer-to-peer case –someone searching for you by name — than it is to consider automated processes scraping public data. While Facebook did eventually stop Copley’s scraping, the company seems uninterested in protecting users from other developers using the same tools less frequently.

Previously on GeekWire: OOPS: Facebook discloses contact info for 6 million people