This Chrome extension was spying on your private Facebook groups

A Chrome extension called Grouply.io has been discovered allowing third parties to get data from private Facebook groups.

The discoverer of this security breach was Andrea Downing, a moderator of a Facebook group that brings together women with BRCA, a gene associated with breast cancer. Downing explains that the theoretical privacy of a Facebook group lets women share their problems, stories and build strong relationships. For example, members posted images of their surgical procedures and experiences and advice about staying healthy.

Downing started to worry whether the group was safe from prying eyes after recent Facebook scandals. She checked it out and discovered that this Chrome extension Grouply.io, now defunct, had allowed downloads of names, jobs, places, emails and other personal data from anybody in a private Facebook group.

Downing contacted an expert in health data monitoring, Fred Trotter, to investigate the case. Trotter found out that closed (private) Facebook groups had a serious security breach.

Downing got in touch with Facebook. But neither she nor Trotter have been satisfied with the social network’s statements.

The good news is that since June 29, it’s no longer possible to get data from private groups. What a coincidence, just a month after Downing made her discovery and informed Facebook about it.

The bad news is that before then, there’s a chance that third parties had access to our data through private Facebook groups. In the case of this group of women, a health insurer could have used this extension to create their own database.