In those days it was common practice for folks to blindly accept permissions that apps asked for. If someone stole a database filled with access tokens, they'd in-turn have access to all of this data.
The sets to consider are:
- The cases where they did it. We know they did it. We're making a big deal out of it (CA, etc)
- The cases where they did it. We know they did it. We're not making a big deal out of it (Obama, given the sad state of much of western media)
- The cases where they did it and nobody knows, and nobody seems to care about.
I suspect the last case has the highest numbers. There were probably hacking operations that took whatever access tokens they could find, ate the user's entire social graph, and sold it off.
The sets to consider are:
- The cases where they did it. We know they did it. We're making a big deal out of it (CA, etc)
- The cases where they did it. We know they did it. We're not making a big deal out of it (Obama, given the sad state of much of western media)
- The cases where they did it and nobody knows, and nobody seems to care about.
I suspect the last case has the highest numbers. There were probably hacking operations that took whatever access tokens they could find, ate the user's entire social graph, and sold it off.