A bug in Facebook's login system allows attackers to match unknown email addresses with users' first and last names, even when they've configured their accounts to make that information private.
The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person behind an anonymous email message. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account.

"Facebook users have no control over this, as this works even when you have set all privacy settings properly," Atul Agarwal of Secfence Technologies wrote Wednesday on the Full-disclosure security listserve. "Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies."

The link for this article located at The Register UK is no longer available.