A security researcher has discovered an unprotected database only that contained 419 million phone numbers belonging to Facebook users.

It seems that the database in question was not owned, compiled, or put on the unprotected web server by Facebook, but it is reported that the data is that of Facebook users.

The news comes at a bad period for the social networking giant in light of past privacy scandals, and the firm is seeking to ensure a more privacy focused future going forward.

Phone numbers

The security researcher in question Sanyam Jain, who is also a member of the GDI Foundation. He contacted the TechCrunch website after he was unable to find the owner of the database.

After a review of the data, neither could TechCrunch, but when it contacted the web host, the database was pulled offline.

The database found by Jain was no password protected, and the 419 million records was reportedly spread across several databases. There was a global flavour to the data, with 133 million records on US-based Facebook users, 18 million records of users in the UK, and another with more than 50 million records on users in Vietnam.

The data was said to contain a user’s unique Facebook ID and the phone number listed on the account. TechCrunch said it had verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID

Jain also said he was also able to uncover profiles with phone numbers associated with several celebrities.

The fact that this data is out there, means that the affected users could be at risk of receiving spam calls or SIM-swapping attacks that tricks mobile operators into giving a person’s phone number to an attacker. With that person’s phone number, the attacker could force-reset the password on any internet account associated with that number.

Not Us

It should be reiterated that Facebook was not the owner of the database.

Facebook spokesperson Jay Nancarrow was quoted by TechCrunch as saying the data had been scraped before Facebook cut off access to user phone numbers.

“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson reportedly said. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”

Facebook later claimed the server contained “about 220 million” records.

Quiz: Think you know all about Facebook?

Tom Jowitt @TJowitt

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Recent Posts

Google Claims “Quantum Supremacy”, But IBM Disagrees

Google and IBM publicly clash after the former claimed to have achieved a quantum computing breakthrough

8 hours ago

Julian Assange Loses Extradition Delay Attempt

Assange loses court bid to delay extradition hearing, after arguing he needs more time to prepare defence

9 hours ago

NCSC Points To National Security Threats From Russia, China

Russia, China, Iran and North Korea pose 'strategic national security threats to the UK', boss of NCSC warns

11 hours ago

SpaceX’s Starlink Satellite Broadband Tested By US Military

The US Air Force has tested ultra-fast broadband in a plane's cockpit, thanks to Space X's growing satellite network

13 hours ago

Huawei Opens Foldable Phone For Pre-Order In China

Have a spare $2400 lying about? Another delayed folding phone is available for pre-order in China

14 hours ago

How Machine Learning is Transforming Manufacturing

Manufacturing is transforming thanks to AI. As factories become more intelligent, their use of machine learning will only increase. Are…

16 hours ago