A database has been uncovered containing over 267 million Facebook users IDs, phone numbers, and names, exposed on the web for anyone to access without a password or any other authentication.
The database was discovered by Comparitech and Bob Diachenko, a security researcher and is believed to have been gathered by cybercriminals from Vietnam.
The information is thought to have been accessed via Facebook’s API, used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. However, Facebook restricted access to phone numbers in 2018, so the information would have been accessed prior to 2018 as phone numbers were among the details exposed. It is possible that there is a security hole in Facebook’s API allowing criminals to access user IDs and phone numbers even after access was restricted.
Alternatively, the information could have been accessed by illegal scraping, a process where automated bots quickly sift through large numbers of web pages, copying data into a database.
It is believed the information could be used for large-scale SMS spam and phishing campaigns, as well as, other cybersecurity threats. The internet service provider managing the IP address of the server has been notified so that access to the database could be removed; however, the data was also posted to a hacker forum with the possibility to download the information.
According to Comparitech, the database was first indexed on December 4, 2019 and the data was posted as a download on a hacker forum a week later. On December 14, 2019 Diachenko discovered the database and sent an abuse report to the ISP managing the IP address of the server. However, the database was only made unavailable on December 19, 2019.
A total of 267,140,436 records were exposed, with most of the users from the U.S. Each record contained a unique Facebook ID, phone number, a full name and a timestamp.
The data breach comes just three months after Facebook’s last incident when over 419 million records were found on an exposed server.
Facebook was fined $5 billion by the Federal Trade Commission (FTC) in July 2019, following an investigation which found Facebook had failed to follow guidelines set out in an agreement in 2011 whereby the company had to seek users’ consent and inform them before sharing data that was in breach of their security settings. 87 Million users’ personal data had been improperly collected by Cambridge Analytica who had accessed users’ data via a Facebook quiz that promised to reveal their personality type. The game was aimed to gather the data from that profile and the data of their friends. The FTC believed Facebook had “deceived” users into believing their data was private when on numerous occasions this information was made public.
Facebook has not released an official statement following this latest incident, with a spokesperson only commenting to Engadget, “We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information.”