More than 267 million Facebook user phone numbers, names and user IDs were exposed in a database that anyone could access online, adding to a long list of privacy and security mishaps that continue to plague the world’s largest social network.
Researchers aren’t sure how the database was created. It could have been illegally compiled through an automated process called scraping, where public information is copied from the internet, in this case from Facebook profiles.
It could have also been created through the Facebook API, a tool that gives third-party developers access to user information so they can create Facebook applications. The API stopped giving access to user phone numbers in 2018, so it’s possible the data was collected before the new policy was enacted.
Researchers believe the operation was being run by a criminal organization in Vietnam.
The database was not password protected and was completely open to the public. Diachenko usually notifies the owner of an exposed database so they can secure it. However, in this case, the owners of the database were illegally maintaining it. So, the researcher directly informed the internet service provider managing the IP address of the server where the database was stored, and it was taken down on Dec. 19. Diachenko believes the illegal database was set public by mistake.
Facebook users who have their phone number set to public should be cautious of phone calls and text messages from unknown numbers, as the information could be used in spam or phishing campaigns.
Facebook has been hit with a number of issues this year. A similar database containing more than 400 million Facebook user IDs and phone numbers was in September.