The massive success of Facebook isn't good news for everybody. By expanding its students-only membership policy to include all comers, the site has seen user numbers skyrocket. And existing users are discovering their information isn't as private as they thought.

With social networking overtaking online shopping as UK internet users' favourite waste of time, many people could soon discover that online it's possible to provide too much information.

Caught in the act

In July, Oxford University students were shocked to receive emails from University authorities threatening them with fines for end-of-term misbehaviour. According to Oxford City Council, students' unofficial end-of-term parties, which usually take place in the town centre, cost up to £20,000 to clean up.

In the past, students have been secretly filmed in order to identify the culprits. This year, though, the students incriminated themselves. They took photos, uploaded them to Facebook and bragged about their involvement. And University authorities used them as evidence.

The student union called the move a 'disgraceful' invasion of privacy. But as a spokesperson for Oxford University says, "The perception is that this site is private. It is not, and everybody in the modern world has to adjust to that". The authorities hadn't done anything wrong; the problem is that the students were unaware or had forgotten that staff could also view content on Facebook's Oxford University network.

It's hard to feel sorry for students who fling food around town centres and leave the mess for others to clean up, but the row highlights a bigger issue. These sites are all about sharing, and as a result their default privacy settings aren't particularly paranoid. So if you join a network, your details are available to everyone on that network.

Sharing things with a network might not seem like a bad idea, until your employer in the same network sees you're posting unpleasant things about your co-workers or doing things you shouldn't. However, many Facebook networks are much larger and less selective.

You can join a network for Glasgow, for Bristol, for Brighton & Hove or for London, and some networks cover entire districts or even continents. Fancy sharing your photos, contact information and thoughts with everybody in the West Midlands, or a continent? If you join networks, that's exactly what will happen if you don't change the privacy settings.

Identity theft

That's not just bad news for the badly behaved students. It's a potential goldmine for identity thieves. According to credit reference agency Equifax , many social network users cheerfully publish personal data - their email address, their home address, their phone numbers, marital status and so on - without realising that such information is a boon to identity thieves.

Factor in lazy password creation - survey after survey shows that people use their children's or pet's names, or their favourite football team, as a password - and you can see how apparently innocent personal data can be misused.

According to Symantec 's ISTR (Internet Security Threat Report), ID thieves who amass enough information on someone to set up an online bank account sell that data for as little as 52p. As you'll see from the section 'Can we steal someone's ID?' below, if you're on the same network as your target, that information is easy to get hold of.

Parents should be particularly worried. A survey commissioned by privacy firm Garlik found that 40 per cent of teenagers regularly visit sites their parents have prohibited. Moreover, some 30 per cent divulge their full name, 12 per cent their address, 20 per cent their mobile number and 46 per cent their school name to virtual strangers.

Even apparently innocuous information can be misused, so, for example, if your child mentions that they're going on holiday, this gives the message 'my house is unattended' to a potential burgler. And endless reports have linked children's use of social networking services to cyberbullying, fraud and even grooming: only last month, MySpace deleted the profiles of some 29,000 convicted sex offenders.

Potential dangers of Facebook apps

Another potential threat is the Facebook API, which allows developers to create applications that run on the Facebook platform. Facebook doesn't vet and isn't responsible for any such applications, and warns users to do this at their own risk.

As Verisign (and several other high-profile security firms) has warned, that API could provide an opportunity for malware creators. We've seen malware targeting MySpace users, and Facebook equivalents can't be far behind.

The real danger, though, isn't technological. It's users' lack of attention to privacy. As hackers know, there's a hard and an easy way to do everything. Attempting to hack into a corporate mainframe is the hard option. Phoning up, pretending to be the IT department and getting an employee's login details is easier.

It's the same with social networking. While it's no doubt possible to write an application for Facebook that steals user data, it's much easier to browse people's profiles to get what you need. And if you're on the same network as someone, or they've added you as a friend, then those details are just a click away.

As emailers, bloggers and now social networkers have discovered, you can't always control who sees your electronic outpourings. As social networking evolves and users connect to old friends and financial directors alike, more people will learn the hard way that it isn't always wise to put your life online.

Taken from issue 230, out 28 August.

The Facebook test: can we steal someone's ID?

Our victim has a Facebook account. Their profile gives us his full date of birth, home town, email address and his wife's name. We can now get his home address and phone number from 192.com via the electoral roll. Knowing his wife's name means we can narrow down the list of names to find the right one.

We have lots of other information too. Over at LinkedIn , we find his eductaional and employment history. So with this we can can apply for a credit card, and his list of interests on Facebook means we can have a go at guessing passwords.

Some banks are waking up to this. Many mainstream lenders have dumped the 'what's your mother's maiden name?' questions from their online banking services. Others are issuing customers with chip and PIN readers. But while such moves can help prevent people from accessing accounts, they might not stop fraudsters from setting up new ones.