Login

A REAL Facebook privacy issue: Email addresses NOT listed on Facebook are getting indexed by Google - Update: Fixed by Facebook


I'm not one to freak out my personal information getting "leaked" from my mostly private Facebook profile, mainly because I don't publish things that I don't want people to know, but this is another story. This is a REAL Facebook privacy issue.

I Googled my email address (as I occasionally do) to see if it was indexed anywhere, because I like to keep it off the grid as much as I can. As it turns out, Facebook is the ONLY website that publishes my address, and the thing is...I don't even use that address on Facebook.

So what's happening here? Well, Facebook's "Opt out of emails from Facebook" page is getting indexed by Google. I'm assuming (based on critical thinking and moderate fact checking) addresses appear on this page if the following criteria are met:
  • Email address is not tied to an account on Facebook
  • Email address has been submitted by a friend using the "Find a friend" feature


What makes this a big problem is the fact that you can find THOUSANDS of email addresses by doing a simple Google search like:

site:facebook.com "Do you want to stop receiving Facebook emails" - fixed by Facebook

or

site:facebook.com "Do you want to stop receiving Facebook emails" @gmail.com - fixed by Facebook

Queries like this returned thousands of results, and I'm sure with a little digging, you could find more.

One obvious problem is that spammers can easily scrape this data and add easily legitimate address to their lists, many of whom might not give their addresses to Facebook for a reason. I actually remember seeing this problem a while back (maybe 6 months to a year ago), but forgot about it. I'm a little surprised that this one has slipped through the cracks for this long.

Follow me on Twitter and I'll let you know how this thing turns out.

Update: Sachin Agarwal pointed out on Hacker News that a lot of addresses getting indexed are secret addresses that people use to post to blogs (ie: Blogger). Yikes.

Update: It looks like Facebook has fixed the issue by preventing search engines from indexing that page. A big thanks to Blake Ross from Facebook for joining the thread on Hacker News to find the root of the problem and get it fixed. My email address is safe, once again!

Posted almost 3 years ago

13 responses

jari salomaa upvoted this
Aviraj Saluja said
This is just incredibly messed up
val said
Holy crap... now i know why i keep getting email about penis enlargement. thanks facebook.
ian kennedy said
It should be easy enough for Facebook to block search engines from these pages. Careless oversight.
fady said
Great catch!!!
Dave said
Weird, you can actually opt-out those email addresses using the target page.
Chris said
I did a search on Google as you mention in the post and got no results. What happened?
fady said
Yeah, that is weird, as I copied the query, and did find what he was mentioning, but now - no results! That is some quick damage control
moioci said
I recently changed my registered FB email to a variation on my gmail address. Within 2 days, I was receiving spam addressed to that email I'd never used anywhere else before or since.
Vladimir Anisimov said
Кори, привет! Ты предлагаешь в этом пост е следовать за тобой на Щебетать, но там в настройках ты это блокируешь!! Сознательно ли? Или это кто-то сделал вместо тебя?
Jen said
I want to be able to allow facebook to have people search for me within FB but not for it to pop up on a google search. Is this possible?
Star Plus Dramas said
Totally agree with your suggestion... Very nice post and good information here... Thanks for posting that....
pay per click said
Main reason why many people are always receiving unsolicited emails from unknown senders because of this, that Facebook distributed email addresses over Google. These emails are being use as leads for email marketing purposes and advertising strategies by other company, and Facebook should be responsible enough for this.