Phone numbers of nearly 420M Facebook users exposed online
An unsecured database containing the phone numbers of more than 419 million Facebook users was recently found online, though the social network said no accounts have been compromised as a result of the exposure.
Security researcher Sanyam Jain discovered the server that included phone numbers and in some cases names and locations of Facebook users. When he was unable find the server's owner, Jain reported his findings to TechCrunch, which verified the records by cross-checking data with known profiles and matching numbers against Facebook's password reset feature.
The database is no longer online. When it was live, however, the server was left unprotected without a password, meaning anyone could search for and browse data that contained records of user IDs and associated phone numbers.
Records of some 133 million U.S. Facebook users were included in the database, as was information related to 18 million UK users and more than 50 million users in Vietnam, the report said.
Facebook spokesman Jay Nancarrow said the data was scraped prior to the shutdown of a feature that allowed users to search for friends by phone number. Facebook disabled the tool in the wake of the Cambridge Analytica scandal, citing bad actors who abused the service to scrape user information.
"This dataset is old and appears to have information obtained before we made changes last year to remove people's ability to find others using their phone numbers," Nancarrow said. "The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised."
Who, exactly, scraped the data and for what reason remains unknown.
Today's revelations are the latest in a long line of Facebook snafus that threaten to encroach on user privacy. Aside from Cambridge Analytica, the social media monolith in 2018 confirmed a security breach impacting 30 million accounts. In March of this year, an investigation found hundreds of millions of unencrypted account passwords stored on internal servers.