A security researcher has discovered an unprotected database only that contained 419 million phone numbers belonging to Facebook users.

It seems that the database in question was not owned, compiled, or put on the unprotected web server by Facebook, but it is reported that the data is that of Facebook users.

The news comes at a bad period for the social networking giant in light of past privacy scandals, and the firm is seeking to ensure a more privacy focused future going forward.

Phone numbers

The security researcher in question Sanyam Jain, who is also a member of the GDI Foundation. He contacted the TechCrunch website after he was unable to find the owner of the database.

After a review of the data, neither could TechCrunch, but when it contacted the web host, the database was pulled offline.

The database found by Jain was no password protected, and the 419 million records was reportedly spread across several databases. There was a global flavour to the data, with 133 million records on US-based Facebook users, 18 million records of users in the UK, and another with more than 50 million records on users in Vietnam.

The data was said to contain a user’s unique Facebook ID and the phone number listed on the account. TechCrunch said it had verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID

Jain also said he was also able to uncover profiles with phone numbers associated with several celebrities.

The fact that this data is out there, means that the affected users could be at risk of receiving spam calls or SIM-swapping attacks that tricks mobile operators into giving a person’s phone number to an attacker. With that person’s phone number, the attacker could force-reset the password on any internet account associated with that number.

Not Us

It should be reiterated that Facebook was not the owner of the database.

Facebook spokesperson Jay Nancarrow was quoted by TechCrunch as saying the data had been scraped before Facebook cut off access to user phone numbers.

“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson reportedly said. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”

Facebook later claimed the server contained “about 220 million” records.

Quiz: Think you know all about Facebook?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple Criticised For App User Tracking Alert

Plan for iOS 14 to give app users the option to decline ad tracking has…

2 days ago

UK Government To Acquire £400 Million Stake In OneWeb

Watch out SpaceX's Elon Musk? British government and Bharti Global announce deal to acquire satellite…

2 days ago

Mark Zuckerberg Says Advertisers Will Be Back ‘Soon Enough’

What boycott? Facebook's boss Mark Zuckerberg dismisses growing advertiser boycott of the platform over its…

2 days ago

Police ‘Crack’ EncroChat Encryption, Resulting In Hundreds Of Arrests

Organised crime around Europe has been dealt a huge blow after authorities cracked the encryption…

3 days ago

Coronavirus: Apple Closes More Stores In US

As Coronavirus infections rise in the United States, Apple continues to close down more of…

3 days ago

The Shape Of IT In A Post COVID-19 World

Global IT spend is projected to contract 8% in 2020, according to Gartner. Gartner expects…

3 days ago