I’ve been following the whole Facebook privacy saga with great interest. It’s good to see that Facebook are about to put in some fixes. Some would argue a little too late – but then the business of Facebook is about dealing in people’s private information, so I would have been surprised if they jumped to action any quicker than they absolutely had to.

As a security practitioner, the whole Facebook (and social media) phenomenon scares me a little. At the moment the bulk of the discussion is about how people don’t want their personal information shared. But the reason it scares me is that the personal information being discussed is what web sites for large organisations (e.g. banks) have been using to authenticate people for a long time. The average password reset questions are things like “what is your mother’s maiden name” or “what is the colour of your car.

Well you can find the answers to these questions (and more!) on social media sites. And with members in the 100s of millions, that’s a lot of information for fraudsters to mine.

So my doomsday scenario – what happens when someone hacks the Facebook database?