Unsecured Database Exposed 419 Million Facebook Users' Phone Numbers To Public

04/09/2019

Following a series of mishaps that haunt the Facebook for more than a year, another day is another bad news for the social giant.

More than 419 million Facebook IDs and phone numbers were stored in an online server that was not password protected, reported the technology website TechCrunch.

User data that were exposed, included about 133 million records for users in the U.S., 18 million records for users in the UK, and 50 million records for users in Vietnam.

This kind of expose, wrote TechCrunch, can often be tied to human error rather than a malicious breach, data exposures nevertheless represent an emerging security problem.

After TechCrunch reported its finding, Facebook confirmed this incident, and quickly took the database offline.

Facebook users' phone numbers leaked
A screenshot of the leaked record, containing phone numbers of users in the UK. (Credit: TechCrunch)

Facebook said that it was investigating when and how the database was exposed, and by whom the database was compiled.

A spokeswoman for the company claimed that the actual number of users whose information was exposed was approximately 210 million, because many of the 419 million records were actually contained duplicates.

According to researchers, the records inside the database were likely amassed using a tool that Facebook disabled back in April 2018, in the aftermath of the Cambridge Analytica scandal. The revelations showed how Facebook’s missteps in securing users privacy had allowed third-parties, as well as political consultancy to obtain personal information from tens of millions of users.

Since that time, Facebook only allowed anyone on the web to search for Facebook users by their phone number. But this however, was followed by something that Facebook wasn't expecting:

"Malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search,” said Facebook CTO Mike Schroepfer. “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.”

Facebook said that the exposed data was "old", and could have been scraped before Cambridge Analytica.

"This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers," a spokeswoman said in a statement. "The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised."

But still, experts suggest that malicious actors can make use of this data, because phone numbers, despite how "old" they are, can be the important key to identify people.

While not as sensitive as social security numbers, phone numbers are important identifiers that can be used to easily obtain significant amounts of personal information about an individual and their family from online data brokers, reported The New York Times in back in August.

Skilled attackers can also get more data by matching the leaked phone number with registered accounts on social media sites, to gain information about physical address, previous address, and to also persuade phone carriers to SIM-swap.

This kind of attack, was recently experienced by founder and CEO of Twitter, Jack Dorsey, whose Twitter account was hacked.