A new privacy incident involved Facebook, according to TechCruch, phone numbers associated with 419 million accounts of the social
Data were contained in multiple databases stored on an unsecured server exposed online.
“The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.” states Techcrunch.
“But because the server wasn’t protected with a password, anyone could find and access the database.”
Exposed records include Facebook user IDs, phone numbers, gender, and geographical locations.
The server remained online until TechCrunch has contacted the site’s host on September 4, 2019, data appeared to be loaded into the exposed database at the end of August.
This security breach put millions of Facebook users at risk of fraudulent activities, including SIM-swapping attacks and spam calls.
Facebook admitted the incident, but provided different information about the extent of the exposure, confirming that that number of impacted accounts was around half of the reported one.
Facebook attempted to downplay the severity of the incident by explaining that many of the records were duplicates and that the data was not up to date because had been scraped before Facebook cut off access to user phone numbers.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” said Facebook spokesperson Jay Nancarrow
At the time of writing it is still unknown who amassed this huge quantity of data and for which reason.
Facebook disabled the API that shares
“Facebook has long restricted developers‘ access to user phone numbers. The company also made it more difficult to search for friends’ phone numbers. But the data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new.” concludes Techcrunch.