Phone numbers of nearly 420M Facebook users exposed online

Posted:
in General Discussion edited September 2019
An unsecured database containing the phone numbers of more than 419 million Facebook users was recently found online, though the social network said no accounts have been compromised as a result of the exposure.

Facebook HQ


Security researcher Sanyam Jain discovered the server that included phone numbers and in some cases names and locations of Facebook users. When he was unable find the server's owner, Jain reported his findings to TechCrunch, which verified the records by cross-checking data with known profiles and matching numbers against Facebook's password reset feature.

The database is no longer online. When it was live, however, the server was left unprotected without a password, meaning anyone could search for and browse data that contained records of user IDs and associated phone numbers.

Records of some 133 million U.S. Facebook users were included in the database, as was information related to 18 million UK users and more than 50 million users in Vietnam, the report said.

Facebook spokesman Jay Nancarrow said the data was scraped prior to the shutdown of a feature that allowed users to search for friends by phone number. Facebook disabled the tool in the wake of the Cambridge Analytica scandal, citing bad actors who abused the service to scrape user information.

"This dataset is old and appears to have information obtained before we made changes last year to remove people's ability to find others using their phone numbers," Nancarrow said. "The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised."

Who, exactly, scraped the data and for what reason remains unknown.

Today's revelations are the latest in a long line of Facebook snafus that threaten to encroach on user privacy. Aside from Cambridge Analytica, the social media monolith in 2018 confirmed a security breach impacting 30 million accounts. In March of this year, an investigation found hundreds of millions of unencrypted account passwords stored on internal servers.
«1

Comments

  • Reply 1 of 21
    Just close your account already. This company is unacceptable.
    GG1spice-boychialolliverviclauyycdonjuanmacseekerboxcatcherolsargonaut
  • Reply 2 of 21
    cpsrocpsro Posts: 3,192member
    Whatsapp is owned by FB and will do nothing for a user without full access to contacts. Android users gave permission to access contacts by merely downloading the app. iOS users had to give explicit permission, which millions did. While you might have denied Whatsapp access, it's very likely one of your friends or relatives authorized access and gave FB your information.
    dysamoriaargonautajlwatto_cobra
  • Reply 3 of 21
    I would say a penalty of $5 for each person whose data was compromised would be pretty fair.
    GG1MplsPchristophblolliverviclauyycTomEmuthuk_vanalingamdysamoriaargonautkestral
  • Reply 4 of 21
    linkmanlinkman Posts: 1,035member
    I think we can look at this two different ways:

    1. It's not a problem. After all, the telephone company drops off a big and nearly useless book containing names, addresses, and phone numbers of lots of subscribers on my porch every year. Heck, they even provide (or at least used to) a list of numbers to telemarketers in electronic format.

    2. Facebook really screwed up again and probably got their stuff hacked and someone will initiate a class action lawsuit and hundreds of millions will be eligible for free credit report monitoring for a year (value: nearly zero).
    forgot usernamewatto_cobra
  • Reply 5 of 21
    roakeroake Posts: 809member
    I have no trust at all for Facebook and Google.  I don’t think any company that views the customer as the product will ever have sufficient motivation to keep my personal data private.
    edited September 2019 GG1MplsPchialolliverviclauyycdonjuanmacseekerdysamoriaStrangeDaysols
  • Reply 6 of 21
    sflocalsflocal Posts: 6,092member
    Like most people's phone numbers aren't already out there on the Internet for every phone scammer to use anyways?

    This is a non-issue.

    Still waiting for the management of Equifax to be jailed.  That's REAL damaging information that was leaked.
    MplsPdewmemuthuk_vanalingamdysamoriadavgregCarnagebadmonk
  • Reply 7 of 21
    MplsPMplsP Posts: 3,911member
    cpsro said:
    Whatsapp is owned by FB and will do nothing for a user without full access to contacts. Android users gave permission to access contacts by merely downloading the app. iOS users had to give explicit permission, which millions did. While you might have denied Whatsapp access, it's very likely one of your friends or relatives authorized access and gave FB your information.
    THis is the problem. Facebook is constantly scraping data from every source possible, so even if you take precautions, all it takes is one friend to not be cautious and your data is exposed. 

    I agree with 22July - a monetary fine on the CEO’s of the corporations is the only thing that is likely to make any difference at all.
    lolliverdysamoriaforgot usernamewatto_cobra
  • Reply 8 of 21
    sflocal said:
    Like most people's phone numbers aren't already out there on the Internet for every phone scammer to use anyways?

    This is a non-issue.

    Still waiting for the management of Equifax to be jailed.  That's REAL damaging information that was leaked.
    Guess you enjoy spam calls and tele-marketers? 
    lolliverdonjuand_2StrangeDaysargonaut
  • Reply 9 of 21
    mknelsonmknelson Posts: 1,120member
    spice-boy said:
    sflocal said:
    Like most people's phone numbers aren't already out there on the Internet for every phone scammer to use anyways?

    This is a non-issue.

    Still waiting for the management of Equifax to be jailed.  That's REAL damaging information that was leaked.
    Guess you enjoy spam calls and tele-marketers? 
    And potentially having your AppleID or other accounts stolen if your SIM gets ported out from under you. I believe that's how many of the images stolen in 2014 (the fappening) happened.
    donjuandysamoriaStrangeDaysargonautforgot usernamewatto_cobra
  • Reply 10 of 21
    sflocalsflocal Posts: 6,092member
    spice-boy said:
    sflocal said:
    Like most people's phone numbers aren't already out there on the Internet for every phone scammer to use anyways?

    This is a non-issue.

    Still waiting for the management of Equifax to be jailed.  That's REAL damaging information that was leaked.
    Guess you enjoy spam calls and tele-marketers? 
    mknelson said:
    spice-boy said:
    sflocal said:
    Like most people's phone numbers aren't already out there on the Internet for every phone scammer to use anyways?

    This is a non-issue.

    Still waiting for the management of Equifax to be jailed.  That's REAL damaging information that was leaked.
    Guess you enjoy spam calls and tele-marketers? 
    And potentially having your AppleID or other accounts stolen if your SIM gets ported out from under you. I believe that's how many of the images stolen in 2014 (the fappening) happened.
    What?  Did spam and telemarketers not exist prior to the Intenet?  They've been a scourge since the rotary phone days.  

    My mobile phone number is out there for a myriad of reason.  I don't like to but it's necessary.   If you're using a mobile phone, and you want it private good luck.  You may not put it out there, but guarantee that your mobile provider probably sells/shares your phone number to some 3rd party folks, and who knows where that info goes from there.  Your phone number is in your bank info, credit info, etc... those get hacked, abused, leaked, etc... 

    I know scammers can attempt to social-engineer my AT&T customer service rep to transfer control of my phone number to them, then hijack my AppleID... yes.. I know that's possible, and it's also possible for pretty much anyone else too.  

    Leaking any kind of customer info is unacceptable.  I just don't think it's the big deal as people are making it out to be.

    Just yesterday I had a scam call that my SSN "Expired" and I was wanted by law enforcement.  As a kick, I answered the call and spoke to (obviously) an individual of Indian/Pakistan descent.  When he asked for my name, I gave him a fake name, then he proceeded to say "You're not <real name>?"  So of course, he was cross-checking my phone number with some database.

    It's a done deal.  On the flip-side, AT&T has made great progress to prevent scam/spam calls from reaching me.  So it's getting better.


    muthuk_vanalingamforgot usernameCarnage
  • Reply 11 of 21
    dewmedewme Posts: 5,335member
    Yeah, this is the company I want managing my digital currency. 
    dysamoriadavgregCarnagemonstrosityFileMakerFellerwatto_cobra
  • Reply 12 of 21
    TomETomE Posts: 172member
    And many people have not changed their phone numbers in 20 years.
    dysamoriawatto_cobra
  • Reply 13 of 21
    dysamoriadysamoria Posts: 3,430member
    sflocal said:

    It's a done deal.  On the flip-side, AT&T has made great progress to prevent scam/spam calls from reaching me.  So it's getting better.
    It’s NOT “getting better” for me. Same carrier. Then there’s my land line. Scam and robo calls have only gotten worse. No systemic change has been made.
    watto_cobra
  • Reply 14 of 21
    Just close your account already. This company is unacceptable.
    Once “Sign In with Apple” launches, I’m doing it.
    watto_cobra
  • Reply 15 of 21
    sflocal said:
    Like most people's phone numbers aren't already out there on the Internet for every phone scammer to use anyways?

    This is a non-issue.
    Cool. What’s your name and number? Non-issue in sharing it, right? If you don’t wish to share that data with us, then congrats, you’ve illustrated why this is an issue. Whatever the reason you don’t want to publish your name and number here on the internet, is the same reason others don’t want theirs published. 
    edited September 2019 watto_cobra
  • Reply 16 of 21
    macguimacgui Posts: 2,350member
    Is this new news or old news (still still not good news)?
    watto_cobra
  • Reply 17 of 21
    roake said:
    I have no trust at all for Facebook and Google.  I don’t think any company that views the customer as the product will ever have sufficient motivation to keep my personal data private.
    Break them up.
    watto_cobra
  • Reply 18 of 21
    blah64blah64 Posts: 993member
    cpsro said:
    Whatsapp is owned by FB and will do nothing for a user without full access to contacts.
    Unfortunately, this is the way a lot of tools work, even Signal.  Signal has great technical merits, its encryption is great, but because it requires you to be in your friends' contact lists, that's a huge glaring data privacy flaw.  Other "private" communication tools like Viber require the same thing.
    Android users gave permission to access contacts by merely downloading the app. iOS users had to give explicit permission, which millions did. While you might have denied Whatsapp access, it's very likely one of your friends or relatives authorized access and gave FB your information.
    So how can this very fundamental (societal) problem be fixed?  People are lazy, and they don't want to deal with having multiple contact lists or even just simply not sharing their contact lists with various services.  Like facebook, for one terrible example.

    I simply ask people to NOT put my personal information into their contact lists.  Unfortunately, in the broken world that we live in right now, that sometimes has social ramifications, ranging from questioning looks and an explanation (sometimes helpful) to what amounts to okay-then-I-don't-want-to-be-your-friend.  It also means hoping that your friends are not only honest about it, but diligent about it, and don't forget 2 years later.

    It's not just phone numbers that are being divulged, it's all the personal data people enter in their contacts app, like birthdays, home and work addresses, emails, work title and other information, personal relationships ("wife", "uncle", etc), and notes.  Oh, the dreaded "notes" field.  We have no idea what kind of notes our friends might jot down about us, and then share with online services like facebook or google or any number of others.  Simply because it feels like they're just adding it to their personal contacts list.

    Again, this isn't to complain, it's a serious question that I've asked before.  How can we fix this problem?  Or at least mitigate the damage?  I'm hoping that you care at least somewhat, because you mentioned it.  I guess I could be wrong on that part.
    edited September 2019 FileMakerFellerwatto_cobra
  • Reply 19 of 21
    blah64blah64 Posts: 993member
    sflocal said:
    Like most people's phone numbers aren't already out there on the Internet for every phone scammer to use anyways?

    This is a non-issue.
    Cool. What’s your name and number? Non-issue in sharing it, right? If you don’t wish to share that data with us, then congrats, you’ve illustrated why this is an issue. Whatever the reason you don’t want to publish your name and number here on the internet, is the same reason others don’t want theirs published. 
    He probably won't answer, or will have some kind of snarky response instead of actually addressing the issue.  People don't like being told that their thinking is incongruous.

    Many people say they don't care about privacy because they have nothing to hide, and yet I still haven't had anyone take me up when I ask them to let me thumb through all their texts on their phone.  And I'm virtually harmless, I have no power to retain that information forever and to correlate it with all kinds of other data and communications and purchases and locations, share it with other companies (in some cases), share with government requests, get hacked, etc.

    If you have any thoughts on my question above, feel free to respond.  It's not an easy topic to discuss, and most people simply don't want to deal with messy, inconvenient things.  But I think it needs to have more discussion.
    edited September 2019 watto_cobra
  • Reply 20 of 21
    blah64blah64 Posts: 993member
    ajl said:
    cpsro said:
    Whatsapp is owned by FB and will do nothing for a user without full access to contacts. Android users gave permission to access contacts by merely downloading the app. iOS users had to give explicit permission, which millions did. While you might have denied Whatsapp access, it's very likely one of your friends or relatives authorized access and gave FB your information.
    Exactly!
    It sounds like you don't like this.  How do you deal with it in everyday life, in the real world?
Sign In or Register to comment.