Perhaps it’s time to start paying more attention to whom you’re friending on Facebook. A recent study designed to evaluate how safe social networks are from being invaded by programs pretending to be real people resulted in more than 250GB of personal information being collected from thousands of Facebook users by the researchers’ “socialbots.”
Researchers from the University of British Columbia’s Vancouver campus released 102 socialbots onto Facebook as part of the eight week study, each one given a name and a profile picture so as to better convince real users that they were, in fact, entirely genuine. Each bot then proceeded to send 25 friend requests per day—limited to prevent setting off spam alerts—and within two weeks, 976 requests had been accepted.
For the next six weeks, the bots sent requests to the friends of their new friends, with 59% of that second wave accepting, leading to what the researchers call “a large-scale infiltration” of the site.
The researchers said that the exercise proved how ineffective existing safety measures are against this kind of attack, with only 20% of their socialbots being caught by Facebook’s “Immune System,” with even that low percentage only happening because users flagged the friend requests as spam.
A report on the experiment, “The Socialbot Network,” explains the danger this presents:
“As socialbots infiltrate a targeted OSN, they can further harvest private users’ data such as email addresses, phone numbers, and other personal data that have monetary value. To an adversary, such data are valuable and can be used for online profiling and large-scale email spam and phishing campaigns.”
A Facebook spokesperson deflected criticism by attacking the report, saying that the company has “serious concerns about the methodology of the research by the University of British Columbia, and we will be putting these concerns to them.”
Graeme McMillan is a reporter at TIME. Find him on Twitter at @Graemem or on Facebook at Facebook/Graeme.McMillan. You can also continue the discussion on TIME’s Facebook page and on Twitter at @TIME.