41% of Facebook Users Share Personal Information with a Frog

Facebook FreddiYou can file this in the “altogether not that surprising” category: The IT security firm Sophos has conducted a little experiment to see how easily it might be to obtain personal information from Facebook users. They created a fabricated Facebook profile called Freddi Staur (an anagram of ‘ID Fraudster’), a small green plastic frog who divulged minimal personal information about himself. Freddi then sent friend requests to 200 random users to observe how many people would respond, and how much personal information could be gleaned from the respondents. There findings are quite revealing:

  • 87 of the 200 Facebook users contacted responded to Freddi, with 82 leaking personal information (41% of those approached)
  • 72% of respondents divulged one or more email address
  • 84% of respondents listed their full date of birth
  • 87% of respondents provided details about their education or workplace
  • 78% of respondents listed their current address or location
  • 23% of respondents listed their current phone number
  • 26% of respondents provided their instant messaging screenname

In the majority of cases, Freddi was able to gain access to respondents’ photos of family and friends, information about likes/dislikes, hobbies, employer details and other personal facts. In addition, many users also disclosed the names of their spouses or partners, several included their complete résumés, while one user even divulged his mother’s maiden name – information often requested by websites in order to retrieve account details. Sophos has a full write-up of the experiment here.

This makes for a nice little cautionary tale about how much information you divulge online, and how one should be careful about making it available to random strangers to view and collect. For its part, Sophos has published a “best practices” for Facebook users, providing their recommendations on how to configure Facebook’s extensive (and, unfortunately, complicated) privacy settings.

[via David Faser]


  1. Yes, but how many of the people who divulged information considered that information at all private? I already list a frog as a friend with Friendster, and there’s nothing in my Facebook profile that I consider nonpublic. I would sooner educate people about not putting sensitive information into Facebook in the first place than educate them about who they communicate with.

  2. I agree. Whether one considers their birthdate private or not is irrelevant to the potential usefulness of that bit of data if left exposed for those bad apples (or frogs) who hope to scrape such sites to gather information for identity theft, etc. The issue is sensitive information being online, not a public/private dichotomy.

  3. That’s ridiculous. A phone number is private no matter how you view it, because it provides an incredible amount of information about who you are. People who don’t realise the dangers of giving their phone number out to just anyone are totally stupid. Even if they don’t consider it private, it certainly is private. Yes, I know we put our blogs and businesses on the net with phone numbers and contact details but that’s very different.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s