A problem in Facebook’s login system allows hackers to match email addresses that are unknown with a user’s name, even if the account is configured to be private.
The leak, according to Atu Argawal of SecFence Technologies, could be exploited by individuals conducting phishing attacks. Facebook will return the full name and picture of the individual linked to the email address.
“Facebook users have no control over this, as this works even when you have set all privacy settings properly,” Argawal writes. “Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.”