Report: Facebook Database Found Online Exposed Phone Numbers of Millions

Report: Facebook Database Found Online Exposed Phone Numbers of Millions

A database that was left without password protection was discovered by a security researcher, who said 419 million records of Facebook user phone numbers were exposed.

Following a year of vocal concerns from lawmakers and users about Facebook’s security practices, the social media giant is facing renewed outrage over a database discovered online that reportedly contained hundreds of millions of user phone numbers.

Security researcher Sanyam Jain found the database online and shared the discovery with TechCrunch. The database seems to be connected to a tool no longer used by Facebook that allowed users to search for potential friends based on phone number that a user had willingly given the site.

A server that did not belong to Facebook, and was publicly accessible without password protection, housed a database of the phone numbers. Jain told TechCrunch that he found several phone numbers of celebrities in the database, which was taken down after the news outlet contacted the web host. The owner of the server is still unknown.

While Jain said the database contained records of more than 419 million Facebook users, with 133 million alone in the U.S., Facebook’s PR team is telling reporters that the figure is bloated and that the server contained “closer to half” of 419 million, according to Gizmodo.

Jay Nancarrow, a spokesperson for Facebook, told TechCrunch that the data was scraped before Facebook cut off access to user phone numbers in April 2018.

“The data set has been taken down and we have seen no evidence that Facebook accounts were compromised,” he said.

Still, security experts note that cell phone number data in particular is sensitive to abuse from targeted robocalls, malware attacks and more.

“[Users] can’t recover by something as simple as changing their password – they would have to redo their Facebook account or get a different phone number – both very unappealing actions,” said Pankaj Parekh, chief product and strategy officer at SecurityFirst. “Another example of people’s personal data being exposed by careless actions of those trusted to safeguard it.”

Paul Bischoff, privacy advocate for Comparitech, said the exposure could put millions of Facebook users at risk of spam, harassment and SIM swap fraud. Because phone numbers are often used for two-factor authentication, the information could be abused by malicious actors, he added.

“By moving an existing phone number to a new SIM card, an attacker will receive the PIN number sent to the user's phone via SMS when logging in,” Bischoff said.

For Johnathan Deveaux, head of enterprise data protection at comforte AG, the main risk of the incident is the potential of spam calls, which are consistent nuisances even to people who have not had their phone number leaked.

“The more sensitive data a company has, the more critical it is to protect the data,” Deveaux said. “A ‘security-first’ policy employing a data-centric approach helps ensure data is protected throughout an organization.”


About the Author

Haley Samsel is an Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.


  • CISA Kicks Off 20th Anniversary of Cybersecurity Awareness Month

    CISA Kicks Off 20th Anniversary of Cybersecurity Awareness Month

    The Cybersecurity and Infrastructure Security Agency (CISA) recently announced the kickoff of the 20th Cybersecurity Awareness Month. Throughout October, CISA and the National Cybersecurity Alliance (NCA) will focus on ways to “Secure Our World” by educating the public on how to stay safe online. Read Now

  • Cybersecurity Awareness Month: Top Five Action Items to Elevate Your Data Security Posture Management and Secure Your Data

    October is Cybersecurity Awareness Month, and every year most tips for security hygiene and staying safe have not changed. We’ve seen them all – use strong passwords, deploy multi-factor authentication (MFA), be vigilant to spot phishing attacks, regularly update software and patch your systems. These are great recommended ongoing tips and are as relevant today as they’ve ever been. But times have changed and these best practices can no longer be the bare minimum. Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3