Hundreds of millions of Facebook users’ phone numbers were exposed in an open online database, the company confirmed Wednesday, in the latest example of Facebook’s past privacy lapses coming back to haunt its users.
The database contained 133 million records from the US, 18 million in the UK and 50 million in Vietnam.
However, a Facebook spokeswoman has added that in actuality the data of 210 million users was revealed since the unsecured database contained duplication.
About more than a year ago, if you entered a phone number into Facebook’s search bar, it would reveal the account connected to that number.
Although Facebook has abandoned this practice, it is believed that the phone numbers were scraped before it did so.
Screenshot of the leaked database
However, according to GDI Foundation’s security researcher Victor Gevers tweeted that “Although Facebook had disabled the API that shares users mobile phone & address details back in 2011, this data leak with scraped Facebook details was deployed recently in August 2019 on the latest version (4.0.12) of MongoDB.
There is also a mail server running on that server.”
Nevertheless, the breach is still alarming for a number of reasons.
Firstly, phone numbers are a goldmine for hackers who would definitely enjoy sending loads of marketing messages and calls to these users.
Secondly, they could be used to aid in sim swapping for users who have been using their phone numbers as a part of two-factor authentication.
How serious can this be?
Well, last week, Jack Dorsey’s Twitter account was compromised just due to such a technique despite him being the CEO so this leaves a layman much more vulnerable.
Sanyam Jain, a security researcher and member of the GDI Foundation, first discovered the database.
he owner was unable to be found by either him or TechCrunch but it was taken offline when the web host was informed.
It added that many of the entries were duplicates and that the data was old.
‘The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised,’ a Facebook spokesperson told AFP.
As the database has now been taken offline, there is no way for concerned users to find out if their information was leaked.
Sites like HaveIBeenPwned are good ways of checking details against all known leaks, but is not a bulletproof method.
Following the 2018 Cambridge Analytica scandal, when a firm used Facebook’s lax privacy settings to access millions of users’ personal details, the company disabled a feature that allowed users to search the platform by phone numbers.
The exposure of a user’s phone number leaves them vulnerable to spam calls, SIM-swapping – as recently happened to Twitter CEO Jack Dorsey – with hackers able to force-reset the passwords of the compromised accounts.
In July, the Federal Trade Commission announced that it had agreed a settlement with the social media giant which would see it pay a £4 billion fine and introduce a number of new audits into its business that would ensure privacy and data protection is in place.