Report: Facebook Database Found Online Exposed Phone Numbers of Millions

Report: Facebook Database Found Online Exposed Phone Numbers of Millions

A database that was left without password protection was discovered by a security researcher, who said 419 million records of Facebook user phone numbers were exposed.

Following a year of vocal concerns from lawmakers and users about Facebook’s security practices, the social media giant is facing renewed outrage over a database discovered online that reportedly contained hundreds of millions of user phone numbers.

Security researcher Sanyam Jain found the database online and shared the discovery with TechCrunch. The database seems to be connected to a tool no longer used by Facebook that allowed users to search for potential friends based on phone number that a user had willingly given the site.

A server that did not belong to Facebook, and was publicly accessible without password protection, housed a database of the phone numbers. Jain told TechCrunch that he found several phone numbers of celebrities in the database, which was taken down after the news outlet contacted the web host. The owner of the server is still unknown.

While Jain said the database contained records of more than 419 million Facebook users, with 133 million alone in the U.S., Facebook’s PR team is telling reporters that the figure is bloated and that the server contained “closer to half” of 419 million, according to Gizmodo.

Jay Nancarrow, a spokesperson for Facebook, told TechCrunch that the data was scraped before Facebook cut off access to user phone numbers in April 2018.

“The data set has been taken down and we have seen no evidence that Facebook accounts were compromised,” he said.

Still, security experts note that cell phone number data in particular is sensitive to abuse from targeted robocalls, malware attacks and more.

“[Users] can’t recover by something as simple as changing their password – they would have to redo their Facebook account or get a different phone number – both very unappealing actions,” said Pankaj Parekh, chief product and strategy officer at SecurityFirst. “Another example of people’s personal data being exposed by careless actions of those trusted to safeguard it.”

Paul Bischoff, privacy advocate for Comparitech, said the exposure could put millions of Facebook users at risk of spam, harassment and SIM swap fraud. Because phone numbers are often used for two-factor authentication, the information could be abused by malicious actors, he added.

“By moving an existing phone number to a new SIM card, an attacker will receive the PIN number sent to the user's phone via SMS when logging in,” Bischoff said.

For Johnathan Deveaux, head of enterprise data protection at comforte AG, the main risk of the incident is the potential of spam calls, which are consistent nuisances even to people who have not had their phone number leaked.

“The more sensitive data a company has, the more critical it is to protect the data,” Deveaux said. “A ‘security-first’ policy employing a data-centric approach helps ensure data is protected throughout an organization.”

 

About the Author

Haley Samsel is an Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3