Facebook Loses Face: Board Member’s Account is Breached

Sunday morning, some of the 2,301 Facebook friends of venture capitalist and Facebook board member Jim Breyer received a message from him, through Facebook. “Would You Like a Facebook Phone Number?” it asked, presenting a link to “see more details and RSVP.”

While no one would be surprised by a service that allowed users to call friends from their Facebook accounts, the message was a hack. “This was a phishing scam and Jim’s account appears to have been compromised,” said Larry Yu, a Facebook spokesman, late yesterday. “The issue has since been resolved and we’re actively trying to block this activity.”

Breyer, a partner at Accel Partners, didn’t respond to questions relating to the message.

No doubt both Facebook and Breyer would prefer that the break-in pass quietly. Yet it’s more than an embarrassment for the company, which has just three other board members, including CEO Mark Zuckerberg, investor-entrepreneur Marc Andreessen, and Peter Thiel of Clarium Capital and Founders Fund.

In addition to highlighting how easily Facebook can still be spoofed — even when it comes to someone as well-versed in the ways of Facebook as Breyer — the scam underscores the widespread and growing resentment over Facebook’s self-interested efforts to socialize the Web, turning users’ private networks of Facebook friends and data into more public, and ultimately lucrative, information off which it can capitalize.

Here’s how Wired put it, in an arresting and widely read piece published on Friday:

[Last] December, with the help of newly hired Beltway privacy experts, [Facebook] reneged on its privacy promises and made much of your profile information public by default. That includes the city that you live in, your name, your photo, the names of your friends and the causes you’ve signed onto.

This spring Facebook took that even further. All the items you list as things you like must become public and linked to public profile pages. If you don’t want them linked and made public, then you don’t get them — though Facebook nicely hangs onto them in its database in order to let advertisers target you.

This includes your music preferences, employment information, reading preferences, schools, etc. All the things that make up your profile. They all must be public — and linked to public pages for each of those bits of info — or you don’t get them at all. That’s hardly a choice, and the whole system is maddeningly complex.

One would guess that the hack of Breyer’s account is just the beginning. Before most users had the chance to “opt out” of Facebook’s instant personalization program, Facebook had sent its first three program partners — Pandora, Yelp, and Microsoft’s Docs.com — users’ names, their friends’ names, their profile pictures, gender, connections, and any content they’d shared using the Everyone privacy setting. It’s probably safe to assume that as a result, few people are concerned about the integrity of Breyer’s account — or anyone else assumed to be involved in some of Facebook’s decisions.

Whether the incident changes Breyer’s perspective is another question.

Last week, I talked with social media analyst Jeremiah Owyang of Altimeter Group about Facebook’s policy to have users opt out, rather than in. “There are always consumer watchdog groups that will complain, along with very vocal developers,” said Owyang. “But the vast majority of consumers don’t know and don’t care [about privacy issues] until it impacts their personal lives.”

UPDATE. Facebook asked me this morning to publish the following:

We take security very seriously and have devoted significant resources towards helping our users protect their accounts.  We’ve developed complex automated systems that detect and flag Facebook accounts that are likely to be compromised (based on anomalous activity like lots of messages sent in a short period of time, or messages with links that are known to be bad).  Because Facebook is a closed system, we have a tremendous advantage over email.  That is, once we detect a phony message, we can delete that message in all inboxes across the site.  We also block malicious links from being shared and work with third parties to get phishing and malware sites added to browser blacklists or taken down completely.  Users whose accounts have been compromised are put through a remediation process, where they must take steps to re-secure their account and learn security best practices.  This is what happened with Mr. Breyer’s account.

To combat these threats, however, we need users’ help too.  You can protect yourself by never clicking on strange links, even if they’ve been sent by friends, and by being wary of sites that ask you to download or upgrade software. 

We educate people about online security through our Facebook Security Page (http://www.facebook.com/security), which has well over one million fans.