Security expert Bob Diachenko, along with Comparitech, has discovered more than 267 million Facebook user IDs, phone numbers and names in an unsecured database.
The huge trove of data is likely the result of an illegal scraping operation or Facebook API abuse by a group of hackers in Vietnam. The exposed data could be used by threat actors to conduct large-scale SMS spam and phishing campaigns.
“A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication.” reads the post published by Comparitech. “
In total the archive contained 267,140,436 records, most of the affected users were from the United States.
Diachenko discovered the unsecured database on December 14, but it was first indexed on December 4, unfortunately, the Facebook information was posted on a hacker forum since December 12.
On December 14, the expert sent an abuse report to the ISP managing the IP address of the server and on December 19 the database was shut down.
At the time it is not clear how hackers obtained the data, Diachenko believe that there are to possible scenarios.
In the first scenario, attackers could have exploited Facebook’s API used by developers to access data (i.e. Friends list, photos, and groups). This was possible only before Facebook implemented the restrictions to the access to user phone numbers in 2018, alternatively, the attackers might have exploited a security hole. Criminals could have also scraped information from public Facebook profiles using automated tools.
In September 2019, other databases containing 419 million records were exposed, the huge trove of data included phone numbers and Facebook IDs.
A Facebook spokesman confirmed that in a statement that the company is investigating into the case, but the information was likely harvested before 2018.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.