Social media giant Facebook has confirmed that hundreds of millions of its users’ phone numbers were exposed in a non-password-protected online server.
Facebook’s admission follows a report by TechCrunch, who first brought the privacy lapse to light. The exposed data included more than 419 million records in total and was comprised of 130 million records from users in the US, 18 million records from users in the UK and 50 million records for users in Vietnam. Since the server was not password protected, it was easy for anyone to find and access online.
Facebook took the database offline after TechCrunch made the company aware of the situation. A spokeswoman for Facebook claimed that the actual number of users exposed was approximately 210 million, because the records contained duplicates. The company is now investigating the incident to ascertain when the database was created and who is responsible for its creation.
The compromised records contained users’ unique Facebook IDs and the phone numbers listed on the accounts. A user’s Facebook ID, typically a long public number associated with a user’s account, can be easily used to discern an account’s username.
- Facebook Could be Preparing to Hide its Maligned ‘Like’ Feature
- NSPCC Urges Facebook Not to Encrypt Children’s Messages
- Facebook to Pay $5bn Fine Over Privacy Violations
TechCrunch said it verified a number of the records by matching a known Facebook user’s phone number against their listed Facebook ID.
“We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account,” its report read. “Some of the records also had the user’s name, gender and location by country.”
This latest lapse in privacy puts those users whose records have been exposed at risk of spam calls and SIM-Swapping attacks, a type of account takeover fraud whereby the attacker tricks the cell carriers into giving the victim’s phone number to an attacker. With a stolen phone number, an attacker could force-reset the victim’s password on any internet account associated with that number.
Security researcher and member of the GDI Foundation, Sanyam Jain, was responsible for discovering the database and for alerting TechCrunch to it. Both he and TechCrunch were unable to determine the owner of the database.
It has been speculated that the data was scraped using a tool that Facebook disabled in April 2018 following the Cambridge Analytica scandal. Until April 2018, the platform allowed anyone to search for users by their phone number or email.
The feature was useful for users looking to connect with their contacts, but it was often abused by data scrapers. Facebook spokesperson Jay Nancarrow said the data had been scraped before Facebook cut off access to user phone numbers.