Contributed by: ElyseRomano Monday, September 23 2019 @ 11:02 am
Phone numbers linked to the Facebook accounts of more than 419 million users have been found online thanks to an insecure server.
According to TechCrunch[*1] , the server contained records from multiple databases, including 133 million records on Facebook users in the United States, 18 million records of users in the United Kingdom, and over 50 million records on users in Vietnam. Each record contained a user’s Facebook ID - a unique number associated with every Facebook account, which can easily be used to ascertain the account owner’s name - as well as the phone number listed on the account. Some records also contained the user’s name, gender and location by country.
The server was not protected with a password, allowing anyone to find and access the database. Sanyam Jain, a security researcher from the non-profit organization GDI Foundation, discovered the database and reached out to TechCrunch when he was unable to identify the owner. TechCrunch confirmed the authenticity of a number of records in the database, but was also unable to find the owner.
Facebook spokesperson Jay Nancarrow said the data had been scraped before Facebook restricted access to user phone numbers in April of 2018.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson told TechCrunch. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
The database was taken offline after TechCrunch published its story, but the information has since been discovered in a second online repository. Elliott Murray, a cybersecurity researcher in the UK, found the new database and contacted CNET[*2] . Murray successfully matched a known phone number of a Facebook user provided by CNET with the correct name in the publicly accessible database.
"Databases of this scale don't come often, and it's clear from the data contained that the two match," Murray said.
Facebook declined to comment on the discovery of the second database. The company has been at the center of several high-profile security incidents in recent years, including the Cambridge Analytica scandal that may have helped influence the 2016 US presidential election. This latest security lapse could put Facebook users at risk of spam calls and SIM-swapping attacks, a type of scam in which hackers take over an account by tricking the cell carrier into transferring a victim’s phone number to a new SIM card.
Security experts recommend making your social media profiles private whenever possible to limit your vulnerability to these kinds of attacks.