September 5, 2019
More than 419 million records of Facebook users in the United States, United Kingdom and Vietnam — including Facebook IDs and user phone numbers — were recently found online (although Facebook disputes that number). The exposed server was reportedly not password-protected, which suggests the database was accessible to anyone. The server contained user data across multiple databases that could potentially enable spam calls and SIM-swapping attacks. According to Facebook, the breach involved user data collected prior to the introduction of new security measures. The company has since taken the exposed data set offline.
“A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username,” explains TechCrunch. “But phone numbers have not been public in more than a year since Facebook restricted access to users’ phone numbers.”
TechCrunch says it verified some of the exposed records and pointed out that in addition to IDs and phone numbers, some of the 419 million records also included “the user’s name, gender and location by country.” According to Gizmodo, however, “a Facebook spokesperson disputed the 419 million figure … claiming the server contained ‘closer to half’ of that number, but declined to provide a specific figure.”
The information was initially found online by security researcher Sanyam Jain, who noted that several phone numbers were associated with celebrities.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” said Facebook spokesperson Jay Nancarrow. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
This breach is the latest in a collection of security challenges faced by the social media giant, including the high-profile Cambridge Analytica scandal and the more recent bulk-scraping of Instagram user data.
The new security lapse exposes millions of users to “spam calls and SIM-swapping attacks, which relies on tricking cell carriers into giving a person’s phone number to an attacker. With someone else’s phone number, an attacker can force-reset the password on any Internet account associated with that number,” reports TechCrunch.