Blog Post

Who Has Access to Your Address Book?

I had two friends complain that they received Facebook invitations from me today. I don’t remember sending those people invitations, and I never invite anyone to a social network without talking to them first.

1023122_bookMy friends forwarded the invitations to me. They were dated yesterday, and the headers indicated that the messages were from Facebook servers. There have been recent reports of phishing scams aimed at Facebook users, though, so I changed my Facebook password, even though I don’t have any evidence that my account has been compromised.

But then I started thinking about all of the places that could potentially have access to my address book. My “master” address list is in the Mac (s aapl) Address Book app, but it’s synced to my web-based Google Apps (s goog) contact list, and to the Thunderbird address book on my PC laptop. It’s also synced to my Palm Treo smartphone (s palm).

I’m pretty careful about passwords, and I respect the privacy of the folks in my address book. But I’m always trying new services, and it seems like everyone wants their site to have a social component. So the list of places that might have access to my address book is appallingly long.

  • Adium
  • AirSet
  • AOL/AIM/Netscape
  • Biznik
  • Blogger
  • Delver
  • Digsby
  • Dropbox
  • Dropcard
  • eBuddy
  • eWallet
  • Facebook
  • Flickr
  • FriendFeed
  • Ginx
  • Gist
  • GizaPage
  • Gizmo5
  • Glide
  • Gmail
  • Goodreads
  • Googaby
  • Google Apps
  • LastPass
  • LibraryThing
  • LinkedIn
  • LiveJournal
  • Mikogo
  • Mozy
  • Mundu
  • MySpace
  • net4mac
  • Ning
  • OperaMail
  • Skype
  • SocialMinder
  • Soocial
  • Sprint
  • ThinkFree
  • Time & Chaos
  • Trillian
  • Twitter
  • TypePad
  • Ulteo
  • ViaTalk
  • VoxOx
  • Xmarks
  • Yahoo
  • Yuuguu
  • Zoho

Now, most of these places have clear privacy policies, and I’m sure none of them would knowingly leak their users’ data. But let’s face it, security breaches are common these days, from national governments to banks to credit card companies. So with a list that long, how can I figure out where the breach might be?

Social networks need to provide tools that let individual users track how our data is being used. Gmail, for example, has an “Activity on this account” page (accessible from the bottom of the main screen) that shows when and how the account was accessed, and from which IP address. Facebook and other social networks need to make similar information available.

In the meantime, some elementary steps will keep your data, and your contacts’ data, more secure.

  • Use anti-virus, anti-malware and firewall software.
  • Make hard-copy and off-site backups.
  • Change your system, network, email and web site passwords frequently, and make them difficult. (Use the “generate password” function included in most password storage programs.)
  • Keep track of social web sites to which you have given access to your address book data. Be extra vigilant about changing passwords for these sites, and if you aren’t using them anymore, delete your accounts.
  • Check which applications have access to your social networking accounts, like Facebook and LinkedIn. Delete any applications that you aren’t using.

Has are you keeping your address book secure?

Image by stock.xchng user xaila.

16 Responses to “Who Has Access to Your Address Book?”

  1. The hack seems to be working the same way as Antivirus2009, which is the “wolf in sheep’s clothing hack.” Antivirus2009 showed you a pop-up that said click here to remove spyware from your computer. Of course, that pop-up was the spyware itself, and clicking on it gave it access to your computer. The same can happen on Facebook. If links start popping up on Facebook saying something along the lines of “Facebook detects foul, click here to protect your data” it may be the hackers. Facebook should make its interfaces more complicated and difficult for hackers to copy. Facebook’s current interfaces are too plain anyway, they could use some pizazz!

  2. Can a website access files on your hard drive? I wasn’t aware this was physically possible…

    I have a Mac, so a malware download is pretty unlikely, yet Facebook also appears to be mining my Address Book data.

    EXCEPT… So far, all of the “incidents” have freemail addresses, so perhaps they all got suckered into giving up their online address book info, and I’m on it.

    EXCEPT… The one that I only communicated with from my (now defunct) AOL address. But, that could be friend-of-a-friend…

  3. keith

    I’ve had the same issue. Friends are suggested with whom I have no friends in common but who are all in my address book. In fact, I had one suggestion who was the wife of someone in my address book. Not random events.
    My iphone has the Facebook app. which I sync with my Mac.

  4. Hi Michael, the same happened to me. I have never given Facebook access to my address book and I have had friend recommendations from people I only have in my address book. I think that when these people allow facebook to have access to their address book, and your email address is in their address book, it will automatically offer a suggestion on your profile.

    This is still ethically wrong and should not happen and I think the facebook developers should look into this.

  5. Michael W

    Hi Charles,

    I noticed today after deleting two contacts from my iPhone, facebook then suggested these as friends! Has anyone got to the bottom of what application is stealing data? I use the word stealing, because without going into the small print I never knowingly gave facebook access to my address book.



  6. Hi Charles,

    At, we value your data as much as we care for our very own profiles data, that was one of the main reasons why we had built in privacy controls in our product.

    I agree that social networks need to provide an option for user to tack their profile data to check how and where it is being used like gmail activity.
    IMHO, looking at the growth of OAuth/OpenId we clearly need to have a standard security/privacy measures adopted across all players in social web space.


  7. I have just noticed the same thing. Friend suggestions I have no association with other than an email address have been appearing in the suggestion pane. I’m trying to trace the source as everything is synced, Outlook, imap and iphone. I have also recently installed the Facebook iphone app.

    This is a serious breach of security that needs looking into. I don’t think Facebook would be so bold to do such a thing. It must be a 3rd party app.

  8. I have to comment on one of your suggestions; ‘Change your system, network, email and web site passwords frequently’. Changing your passwords does not, in any way, make them more secure. It actually makes them less secure because you are more likely to forget them and have to write them down or request new ones, etc.

    Pick a good, unique password for each service and stick with it.

  9. I think the point about removing Facebook apps that you no longer use is a good one. Apps get sold and/or change. Some of the apps I’ve used in the past have changed completely — the risk is that they use your data for purposes you wouldn’t originally have envisaged. This is especially important now that apps are more hidden away, not “front and center” like they used to be in the old Facebook

  10. I just googled “does facebook hack your address book?” and I found your blog.

    I just noticed that my FB homepage (on the top right of the page) where it lists friend suggestions, it has listed people who I have emailed or been CC’d on an email in my Outlook. 3 people today who I don’t have any mutual friends with was suggested to me.

    I think that is way too much of a coincidence. How can you find out if Facebook is accessing your email account such as Outlook?
    I have Zone Alarms installed.

    This is not cool.