Another day another mishap for Facebook.
In a report from Comparitech and security researcher Bob Diachenko, a database containing more than 267 million Facebook users’ data was left exposed without a password to prevent unauthorized access.
Based on the evidence, according to Diachenko, he believes that the trove of data is most likely the result of "an illegal scraping operation or Facebook API abuse by criminals in Vietnam," before 2018 when Facebook put more API restrictions to limit developers' access to user data.
The database was exposed on the internet for anyone to see, for about two weeks since December 4th, the day it was first indexed.
Diachenko quickly notified the internet service provider managing the IP address of the server, urging access to be removed. However, Diachenko said that the data has already been posted to a hacker forum as a download.
The Elasticsearch cluster contained data from mostly U.S.-based users, with the entry for each user containing:
- A unique Facebook ID.
- A phone number.
- A full name.
- A timestamp.
While this isn’t a lot of data per person, the chances that hackers can still use the data to target those users with phishing attacks, large-scale SMS spam, or scamming them.
"We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information," said a Facebook spokesperson.
Before 2018, Facebook allowed access to users phone numbers through Facebook's developer API. Having access to users’ profiles, friends list, groups, photos, and event data, it was using this API that third-party app developers could add social context to their apps.
Diachenko also said that Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted.
Another possibility is that the data was stolen without using the Facebook API, and instead was scraped from publicly visible profile pages.
The terms "scraping" is used to describe a process in which automated bots scans a large number of web pages to copy the data and put them inside a database. For online platforms, including Facebook, differentiating bots and humans can be difficult, making scraping a common thing.
Making things worse, many users leave their profile public, allowing scrapping a lot easier.
Previously, Facebook also had similar incident, where 419 million Facebook user data were exposed in September 2019.