Facebook’s employee numbers have been growing rapidly and it has been revealed that a significant portion of those employees are working on security issues. With over 400M users and a rich amount of information and access to computers, the draw for hackers is obvious, and the site will need the staff to fight back.
Even if security problems initially only affect a small number of users, the viral-platform nature of Facebook means that security threats could very well spread, and quickly. Many of the threats get propagated through unsuspecting users’ Walls to their friends because they seem harmless. With issues like fake Ikea and Whole Food coupon scams popping up via Facebook Fan Pages, and fake ads luring social game players to sites that install malware, Facebook has a need for improved measures.
A PC World article says that Facebook’s Max Kelly gave a talk this week at the Black Hat Security conference addressing the site’s security issues and how Facebook is dealing with them. (It should be noted here that the referenced article calls Max Kelly the CSO — chief security officer — but an official Facebook blog post yesterday says that Joe Sullivan is CSO. An earlier post from Aug 2008 indicates that Kelly is the “head of security”.)
Facebook’s core security team is only 20 people, with 15 people on the site integrity team. However, as many 200 more are involved in security-related issues, including monitoring illegal activity, and studying hacker motivations. The company has in fact used their findings to take action. For example, Facebook has leveraged the U.S-Canada CAN-SPAM act and other laws to go after hackers, resulting settlements nearing $900M in one case alone.
While Facebook might be offering a new Security Center and beefing up their security team, sometimes Facebook and their employees are their users worst enemy, after multiple incidents of code changes that exposed private email addresses and inbox messages, or features like Beacon that revealed a bit too much about consumers’ buying habits.