If you needed a reminder of why you're wary of location-based services, here's one: A (thankfully good-intentioned) hacker was able to snag data from some 870,000 Foursquare check-ins—even ones set only to be visible to friends.

Jesper Andersen built a website to exploit a hole in the "Who's Been Here" section of Foursquare's website, allowing him to scrape an estimated 70% of all check-in data in the San Francisco area over the last three weeks. That's a lot of shameful trips to Subway. Wired explains:

On pages like the one for San Francisco's Ferry Building, Foursquare shows a random grid of 50 pictures of users who most-recently checked in at that location - no matter what their privacy settings. When a new check-in occurs, the site includes that person's photo somewhere in the grid. So Andersen built a custom scraper that loaded the Foursquare web page for each location in San Francisco, looked for the differences and logged the changes.


Andersen, who says he's been "trying to be white-hat" about his find, let Foursquare know about the breach, and the site responded by adding a setting to opt out of the relevant section. Still, Andersen worries that users won't know to seek it out in the first place: "I certainly haven't seen a drop-off in check-in collections," he said. And that means he's still doing the collecting. [Wired]