Privacy lapse after a database containing millions of Facebook users phone numbers was left unprotected online
A security researcher has discovered an unprotected database only that contained 419 million phone numbers belonging to Facebook users.
It seems that the database in question was not owned, compiled, or put on the unprotected web server by Facebook, but it is reported that the data is that of Facebook users.
The security researcher in question Sanyam Jain, who is also a member of the GDI Foundation. He contacted the TechCrunch website after he was unable to find the owner of the database.
After a review of the data, neither could TechCrunch, but when it contacted the web host, the database was pulled offline.
The database found by Jain was no password protected, and the 419 million records was reportedly spread across several databases. There was a global flavour to the data, with 133 million records on US-based Facebook users, 18 million records of users in the UK, and another with more than 50 million records on users in Vietnam.
The data was said to contain a user’s unique Facebook ID and the phone number listed on the account. TechCrunch said it had verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID
Jain also said he was also able to uncover profiles with phone numbers associated with several celebrities.
The fact that this data is out there, means that the affected users could be at risk of receiving spam calls or SIM-swapping attacks that tricks mobile operators into giving a person’s phone number to an attacker. With that person’s phone number, the attacker could force-reset the password on any internet account associated with that number.
It should be reiterated that Facebook was not the owner of the database.
Facebook spokesperson Jay Nancarrow was quoted by TechCrunch as saying the data had been scraped before Facebook cut off access to user phone numbers.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson reportedly said. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
Facebook later claimed the server contained “about 220 million” records.