Facebook allowed third party marketers to download names of people in private groups

A private Facebook group for women who are carriers of the BRCA breast cancer gene discovered that marketers were able to harvest their names and personal information because of a Facebook privacy loophole.

Christina Farr and Kate Fazzini of CNBC report on the Facebook Groups vulnerability that allowed third parties to discover real names and other info on people in closed groups, then download the info en masse.

"That's not good for those in private patient communities," says Farr of the privacy vulnerability.

Marketers were able to harvest names and other information of the people in this group, who by joining the group, identified themselves as BRCA carriers or likely carriers.

The group's leader identified a Chrome browser plug-in for marketers that appeared to allow then to discover names and other information for members of private, closed groups. She contacted a security researcher who confirmed her suspicion.

Facebook has closed the loophole, and the Chrome plug-in has been discontinued.

From the report:

On June 20, Trotter and the BRCA members received a response from Facebook, which included an acknowledgement that member lists for these closed groups were available publicly. According to the Facebook response provided by Trotter, a company representative said: "Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members. That work is ongoing and may lead to changes that address some of your concerns going forward."

A Facebook spokesperson confirmed the interaction and said the company continues to emphasize its commitment to the groups concept in allowing individuals to share sensitive experiences.

Members of the BRCA group replied to Facebook that they were dissatisfied with the response on June 26. By June 29, the ability to harvest details in this way was shut down on Facebook, according to Trotter and Downing.

Did Facebook really shut this privacy leak down? Looks like it.

CNBC contacted three other security professionals who verified that the ability to download member information from "closed" groups was once enabled, but now appeared to be unavailable.

Below, a related story shared on Twitter.