Phone numbers of nearly 420M Facebook users exposed online
An unsecured database containing the phone numbers of more than 419 million Facebook users was recently found online, though the social network said no accounts have been compromised as a result of the exposure.
Security researcher Sanyam Jain discovered the server that included phone numbers and in some cases names and locations of Facebook users. When he was unable find the server's owner, Jain reported his findings to TechCrunch, which verified the records by cross-checking data with known profiles and matching numbers against Facebook's password reset feature.
The database is no longer online. When it was live, however, the server was left unprotected without a password, meaning anyone could search for and browse data that contained records of user IDs and associated phone numbers.
Records of some 133 million U.S. Facebook users were included in the database, as was information related to 18 million UK users and more than 50 million users in Vietnam, the report said.
Facebook spokesman Jay Nancarrow said the data was scraped prior to the shutdown of a feature that allowed users to search for friends by phone number. Facebook disabled the tool in the wake of the Cambridge Analytica scandal, citing bad actors who abused the service to scrape user information.
"This dataset is old and appears to have information obtained before we made changes last year to remove people's ability to find others using their phone numbers," Nancarrow said. "The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised."
Who, exactly, scraped the data and for what reason remains unknown.
Today's revelations are the latest in a long line of Facebook snafus that threaten to encroach on user privacy. Aside from Cambridge Analytica, the social media monolith in 2018 confirmed a security breach impacting 30 million accounts. In March of this year, an investigation found hundreds of millions of unencrypted account passwords stored on internal servers.
Security researcher Sanyam Jain discovered the server that included phone numbers and in some cases names and locations of Facebook users. When he was unable find the server's owner, Jain reported his findings to TechCrunch, which verified the records by cross-checking data with known profiles and matching numbers against Facebook's password reset feature.
The database is no longer online. When it was live, however, the server was left unprotected without a password, meaning anyone could search for and browse data that contained records of user IDs and associated phone numbers.
Records of some 133 million U.S. Facebook users were included in the database, as was information related to 18 million UK users and more than 50 million users in Vietnam, the report said.
Facebook spokesman Jay Nancarrow said the data was scraped prior to the shutdown of a feature that allowed users to search for friends by phone number. Facebook disabled the tool in the wake of the Cambridge Analytica scandal, citing bad actors who abused the service to scrape user information.
"This dataset is old and appears to have information obtained before we made changes last year to remove people's ability to find others using their phone numbers," Nancarrow said. "The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised."
Who, exactly, scraped the data and for what reason remains unknown.
Today's revelations are the latest in a long line of Facebook snafus that threaten to encroach on user privacy. Aside from Cambridge Analytica, the social media monolith in 2018 confirmed a security breach impacting 30 million accounts. In March of this year, an investigation found hundreds of millions of unencrypted account passwords stored on internal servers.
Comments
1. It's not a problem. After all, the telephone company drops off a big and nearly useless book containing names, addresses, and phone numbers of lots of subscribers on my porch every year. Heck, they even provide (or at least used to) a list of numbers to telemarketers in electronic format.
2. Facebook really screwed up again and probably got their stuff hacked and someone will initiate a class action lawsuit and hundreds of millions will be eligible for free credit report monitoring for a year (value: nearly zero).
This is a non-issue.
I agree with 22July - a monetary fine on the CEO’s of the corporations is the only thing that is likely to make any difference at all.
I know scammers can attempt to social-engineer my AT&T customer service rep to transfer control of my phone number to them, then hijack my AppleID... yes.. I know that's possible, and it's also possible for pretty much anyone else too.
Just yesterday I had a scam call that my SSN "Expired" and I was wanted by law enforcement. As a kick, I answered the call and spoke to (obviously) an individual of Indian/Pakistan descent. When he asked for my name, I gave him a fake name, then he proceeded to say "You're not <real name>?" So of course, he was cross-checking my phone number with some database.