Pierluigi Paganini September 05, 2019

New problems to Facebook, phone numbers associated with more than 400 million accounts of the social network giant were exposed online.

A new privacy incident involved Facebook, according to TechCruch, phone numbers associated with 419 million accounts of the social network giant were exposed online.

The data was found by Sanyam Jain, a security researcher and member of the GDI Foundation, who contacted TechCrunch because he was able to contact the owner of the archive. 

Data were contained in multiple databases stored on an unsecured server exposed online.

“The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.” states Techcrunch.

“But because the server wasn’t protected with a password, anyone could find and access the database.”

Exposed records include Facebook user IDs, phone numbers, gender, and geographical locations.

The server remained online until TechCrunch has contacted the site’s host on September 4, 2019, data appeared to be loaded into the exposed database at the end of August.

This security breach put millions of Facebook users at risk of fraudulent activities, including SIM-swapping attacks and spam calls.

Facebook admitted the incident, but provided different information about the extent of the exposure, confirming that that number of impacted accounts was around half of the reported one.

Facebook attempted to downplay the severity of the incident by explaining that many of the records were duplicates and that the data was not up to date because had been scraped before Facebook cut off access to user phone numbers.

“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” said Facebook spokesperson Jay Nancarrow. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”

At the time of writing it is still unknown who amassed this huge quantity of data and for which reason.

Facebook disabled the API that shares users’ mobile phone and address details with developers back in 2011.

“Facebook has long restricted developers‘ access to user phone numbers. The company also made it more difficult to search for friends’ phone numbers. But the data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new.” concludes Techcrunch.

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]