Hundreds of millions of records, each containing a user’s unique Facebook ID and the phone number associated with the account, have been discovered on a server online.
A database of more than 419m phone numbers linked to Facebook accounts has been discovered online.
The server contained records over several databases across a variety of geographies, including 133m records from US-based Facebook accounts, 18m from UK users and 50m from users based in Vietnam. The server was reportedly not password protected and therefore could be found and accessed by anyone.
Each record contained a user’s unique Facebook ID and the phone number associated with the account. Facebook IDs are public numbers and can be used to discern an account’s username. Some of the records also contained a user’s name, gender and location by country.
The breach first came to light when Sanyam Jain, a security researcher and member of the GDI Foundation, found the database and reached out to TechCrunch after he was unable to find the owner. TechCrunch conducted its own research and verified a number of records in the database by matching numbers against users’ listed Facebook IDs.
According to a Facebook spokesperson, Jay Nancarrow, the data was scraped before Facebook cut off access to user phone numbers.
“The data set has been taken down and we have seen no evidence that Facebook accounts were compromised,” he told TechCrunch.
Having phone numbers leaked can leave affected users open to spam calls and even SIM-swapping attacks, in which cybercriminals convince mobile carriers to transfer a person’s phone number to that of the attackers. From there, attackers can infiltrate bank accounts, PayPal accounts and more accounts that are verified by phone numbers.
Facebook could not be reached for comment at the time of publication.
‘Yet another major data leak’
Joseph Carson, chief security scientist at Thycotic, commented on the development: “No surprise here that Facebook is again in the headlines resulting from yet another major data leak. The size of the data breach impacting 419m user accounts makes it one of the largest data breaches in 2019.
“The statement from Facebook downplaying the significance of the data breach is an attempt to reduce accountability by stating that the data is old. However, this does not make any difference when such data does not change, meaning that while old, it is very likely to be still accurate and valid.
“The other mention that Facebook has not detected any attempt of Facebook accounts being compromised is another backing down of responsibility. Most of the abuse of such data would be on the lines of increased robot calls or messages sent via SMS or WhatsApp containing links to malware that will steal more data or even install malicious software, giving cybercriminals full access to the devices or accounts linked to the device.
“It is important to acknowledge that data breaches are bad and that the company is taking the right steps to ensure the victims are informed if their data was impacted, along with what actions they are doing to prevent abuse of that data. Facebook is becoming the opposite of privacy and security.”