A database exposing the names, phone numbers and Facebook user IDs of millions of platform users was left unsecured on the web for nearly two weeks before it was removed.
Security researcher Bob Diachenko, who along with Comparitech discovered the unsecured Elasticsearch database, believe it belongs to a cybercriminal organization, as opposed to Facebook. Diachenko went to the internet service provider (ISP) managing the IP address of the server so that the access could be removed.
“A database this big is likely to be used for phishing and spam, particularly via SMS,” according to the Thursday report. “Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages.”
The database was first indexed on Dec. 4 and was discovered by researchers on Dec. 14. While the database is now unavailable on the IP address where it was discovered, Diachenko said the data was also posted to a hacker forum as a download on Dec. 12.
The server itself included a landing page with a login dashboard and welcome note. The more than 267 million records in the database included unique Facebook IDs (which are public numbers associated with unique Facebook accounts, used to discern accounts’ usernames and other profile data), phone numbers, full names and a timestamp. The affected Facebook users in the database were mostly from the U.S., according to researchers.
As to how the information in the database was collected in the first place, it’s still unclear. Diachenko said one possibility was that the data was stolen from Facebook’s developer API – used by app developers to access user profiles and connected data – before the company restricted developer access to phone numbers and other data in 2018.
Other possibilities include the fact that Facebook’s API could have a glitch, enabling criminals to access user IDs and phone numbers even after access was restricted in 2018; or that data was scraped from publicly visible profile pages, researchers said.
“‘Scraping’ is a term used to describe a process in which automated bots quickly sift through large numbers of web pages, copying data from each one into a database,” according to the report. “It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot. Scraping is against Facebook’s–and most other social networks’–terms of service.”
Regardless, researchers warn Facebook users to adjust their privacy settings to private instead of public, decreasing the chances of their profiles being scraped by third parties – particularly since the data was also posted to a hacker forum and is still in the hands of cybercriminals who could potentially use it for spam or targeted phishing attacks.
It’s not the first time Facebook data has been discovered floating around exposed in the wild. In September, an open server was discovered leaking hundreds of millions of Facebook user phone numbers. And in April, researchers found two separate datasets, held by two app developers (Cultura Colectiva and At the Pool). The actual data source for the records (like account names and personal data) in these databases was Facebook.