Data including names and phone numbers could be used by criminals to carry out phishing attacks, in latest Facebook privacy lapse
Facebook said it is looking into a report that personal details of more than 267 million of its users were made publicly available online.
The report is the latest of a string of privacy failings at the company, even as it has pledged to make privacy a priority as part of its record $5 billion (£3.85bn) FTC settlement over historic privacy violations earlier this year.
Technology website Comparitech and security researcher Bob Diachenko said they uncovered an Elasticsearch cluster with some 267,140,436 user records, including unique Facebook ID numbers, phone numbers and full names.
Most of the users affected were in the United States, Comparitech said.
The cluster, first indexed on 4 December, was accessible without a password or any other authentication.
Comparitech contacted the ISP controlling the server to have the cache removed, but said the data was also posted to a hacker website.
The data appears to have been either illegally scraped from publicly available Facebook profiles or obtained via Facebook’s own APIs prior to 2018, when technical changes made such data leaks more difficult.
It’s also possible that the data was obtained via a security hole in Facebook’s API, Diachenko said.
Criminals in Vietnam are likely to be responsible for gathering the data, Comparitech said, adding that it could leave users exposed to spam and phishing attacks via telephone.
“The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users,” Comparitech said.
The company advised users to be wary of unsolicited SMS messages and phone calls and to change their privacy settings to reduce the risk of data scraping.
Facebook said it was “looking into this issue”.
It added that the data was likely to have been obtained “before changes we made in the past few years to better protect people’s information”.
Errors by third parties have exposed 540 million Facebook records, while earlier this year 20,000 Facebook staff were found to have access to 600 million users’ passwords.