Facebook Founder Accused of Hacking Into Rivals' Email

An anonymous reader notes a long piece up at BusinessInsider.com accusing Facebook founder Mark Zuckerberg of hacking into the email accounts of rivals and journalists. The CEO of the world's most successful social networking website was accused of at least two breaches of privacy. In a two-year investigation detailing the founding of Facebook, Nicholas Carlson, a senior editor at Silicon Alley Insider, uncovered what he claimed was evidence of the hackings in 2004. "New information uncovered by Silicon Alley Insider suggests that some of the complaints [in a court case ongong since 2007] against Mark Zuckerberg are valid. It also suggests that, on at least one occasion in 2004, Mark used private login data taken from Facebook's servers to break into Facebook members' private email accounts and read their emails — at best, a gross misuse of private information. Lastly, it suggests that Mark hacked into the competing company's systems and changed some user information with the aim of making the site less useful. ... Over the past two years, we have interviewed more than a dozen sources familiar with aspects of this story — including people involved in the founding year of the company. We have also reviewed what we believe to be some relevant IMs and emails from the period. Much of this information has never before been made public. None of it has been confirmed or authenticated by Mark or the company." The single-page view doesn't have its own URL; click on "View as one page" near the bottom.

Re:Different password

[Bronster]

Facebook also had a thing "give us your gmail or hotmail password and we'll log in and retrieve your contact email addresses and offer you to add them as friends if they have a Facebook account already" - presumably they stored those passwords as well.

Wasnt Mark

[gmuslera]

Was Chuck Norris [slashdot.org]

n00bsauce

[cosm]

The hilarity would be if his tracks could be traced down through their own system's perverse logging, maybe then would he regret his company's policy of practically 100% data retention. Pwned Mark Fuckerberg. Pwned.

Re:He'll Probably Get Off Easy

[phantomfive]

In fairness, in the corporate world there are so many pitfalls that it's essentially impossible to navigate through them all without a strong team of lawyers and accountants.

Laws in America are so complex and vague that the average american commits three felonies a day [wsj.com]. The same difficulties apply to companies. Even something as straightforward as paying a CEO takes legal specialists dedicated to that specific area of law. Even think of the difficulties of complying with Sarbanes Oxley from an IT perspective. It takes time to set up all the infrastructure, and if you were a startup, you may not even have had a dedicated sys admin. Then suddenly you have all these regulations you have to comply with.

Not that I'm trying to excuse Zuckerberg. If he was stealing other people's emails, he should go to jail, a much better candidate for jailtime than Terry Childs.

no surprise

[Anonymous Coward]

Anyone familiar with the mechanics of Facebook's rise to prominence should not be surprised at the alleged ethical and legal violations. Zuckerberg et al. hacked and social engineered their way into dozens of college freshman admit lists so they could be the first to get new students online. This is not speculation. The "virality" of early facebook was not viral at all, it was good old fashioned spam to ill-gotten mailing lists.

Uh, where's the hacking?

[Jeian]

It took me about 10 minutes to skim through the backstory, but it's pretty sparse on the details and supporting evidence.

"Instead, he decided to access the email accounts of Crimson editors and review their emails. How did he do this? Here's how Mark described his hack to a friend:"

Oh, a friend said Mark said... right.

"Nevertheless, during 2004, Mark Zuckerberg still appeared to be obsessed with ConnectU. Specifically, he appears to have hacked into ConnectU's site and made changes to multiple user profiles, including Cameron Winklevoss's."

"At one point, Mark appears to have exploited a flaw in ConnectU's account verification process to create a fake Cameron Winklevoss account with a fake Harvard.edu email address."

It "appeared" that way? According to whom, and based on what?

Seriously, the whole article is a long string of "it looks like" and "he said she said Mark said" with nothing to back any of it up.

Nothing about this is surprising

[Anonymous Coward]

This doesn't surprise me, only confirms what I've thought about Zuckerberg.

1) I believe he stole Facebook from the ConnectU founders. I believe the assertions that he was hired as a developer and dragged his feet while forming his own company which eventually became Facebook.

2) I believe he has no scruples when it comes to Facebook users' data. He has publicly stated that he knows what's best for "his" users and this arrogance shines through every time the UI is abruptly changed.

3) I believe he will do whatever he pleases with users' information. I don't think that privacy laws provide guidance to him but instead are constraints that he will bypass given any opportunity.

I'm pleased to see that he is being publicly exposed - I doubt anything will come of it - but am glad for him to be seen as he truly is, an arrogant and unscrupulous bad person. This latest revelation may finally send him where he belongs . . .

banking.

Re:Different password

[Like2Byte]

Yeah, Linkedin.com also asks for passwords to your multiple email accounts to scan them for contacts. Wow. What a gold mine that could be. If there's an email addy that they don't know or a name they don't recognize, they could start spamming them for registrations and, potentially, saying a friend or colleague provided your email address to us thinking you might be interested in joining our social club....

Re:Stupid Users

[Culture20]

Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members' Harvard email accounts. He successfully accessed two of them.

This is why I always have an "OH &*#$#^!" moment whenever I accidentally enter the wrong password into the wrong form. It's a mad rush to change the password to whatever service/server the password really belongs to. Thankfully, it's usually different usernames...

Re:Different password

[hughperkins]

I was basically thinking about services such as Amazon EC2 et al, and the possibility of outsourcing computing power from inside an organization into the cloud, and my observation that such an organization cannot really escape having to trust the administrators of the cloud facility, since there is no way of securing a cloud server's memory against the cloud organization's administrators.

Yes, Lastpass does not fall into this category at all, and seems potentially secure.

Re:Not Really Surprised

[Dracos]

A person with flawed ethical standards tends to do unethical things.

They also tend to gather people around them who have similar ethics. For everything he has done, who knows what his employees have done, either independently or at his request.

Re:Not Really Surprised

[Pecisk]

About P2P social network - XMPP aka Jabber just allows that :)

Re:The difference

[Yvanhoe]

Just be prepared for the day they won't be in charge anymore.

Re:Serious Allegations

[Philip_the_physicist]

Of course we should be wary of them, but hopefully this sort of thing will help drive enough people to use secure email to get a critical mass.

As it is, I can't encrypt most of my outbound mail, because people don't have public keys (even unsigned ones are a lot better than nothing), and most people's clients don't seem to automatically save keys and then apply them when replying, which is really needed if we want non-technical people to use encryption.

IMO, all mail programs should prompt the user to choose a key when they add an account, and if they don't have one already, create one and start using it.