Leaky Server Exposes 419M Phone Numbers of Facebook Users

facebook plain text password

Server lacked password protection and included multiple databases with records from the U.S., U.K. and Vietnam.

Phone numbers linked to the Facebook accounts of hundreds of millions of users has been found online on an insecure server in the latest privacy gaffe for the social media giant.

The server, which lacked password protection, contained more than 419 million records over several databases of Facebook users across multiple geographies—including 133 million records of U.S.-based users–according to a published report. Eighteen million records of users in the United Kingdom and 50 million records of Vietnam-based users also were held on the server, according to the report.

Specifically, each record contained both the ID and phone number listed on the account of a unique Facebook user. While the names of users weren’t listed in the records, it’s not difficult to track down user account names using the ID number–a long, unique and public number associated with a user account, according to the report.

Facebook already has come under considerable fire over privacy concerns and its indiscriminate ways of collecting data from its roughly 2.4 billion users worldwide. The company’s historical lack of data protection and various ways to monetize user data in particular have drawn criticism from security experts.

Researchers said the latest breach is particularly egregious because Facebook has restricted access to user phone numbers for more than a year as a part of an effort to improve data practices.

While the numbers associated with the latest breach appear to be data published online from before the company stopped publicizing numbers, it’s still worrisome that they’ve been made available, they said.

“Online businesses often ask for the number ‘in case you need to recover access to your account,'” Colin Bastable, CEO of security awareness training company Lucy Security, in an e-mail to Threatpost.

Bastable warned users to “think hard” before giving their phone numbers to social networks because, more often than not, that number is for business rather than “altruistic” purposes, and can be used to compromise someone’s account.

Facebook’s shady privacy practices have not gone unnoticed by government regulators, who have slapped the company with fines and put its executives in front of Congressional committees to try to repair these practices.

The latest punishment came from the Federal Trade Commission in July, which fined Facebook $5 billion—the largest to date for a technology company–in the culmination of a years-long investigation into the company’s mishandling of data in the now-infamous Cambridge Analytica scandal, among others.

Indeed, these breaches should be taken very seriously, as they could have major security ramifications for the users whose numbers have been exposed, security experts said.

“The main risk of the phone number exposure incident is the potential of spam calls, which are a huge nuisance today,” said Jonathan Deveaux, head of enterprise data protection at security firm comforte AG, in an e-mail to Threatpost. “The bigger fear is what other unprotected sensitive data exists, which may be subject to the same decisions, but possibly posing a larger risk to end-users.”

Suggested articles