Over 267 million Facebook users had their names, phone numbers, and profiles exposed online in an unsecured public database, researcher says
Nickie Louise
Posted On December 19, 2019
Just this morning, we wrote about an investigative Privacy Project that showed how dozens of tech companies are spying and logging the movements of tens of millions of American people. Now, a security researcher is reporting that sensitive information of over 267 million Facebook users with their names, phone numbers, and profiles have been exposed online in an unsecured public database.
According to the report published by Comparitech in partnership with security researcher Bob Diachenko to uncover the Elasticsearch cluster, Diachenko said the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.
Diachenko said the database was available online without a password, exposing the sensitive personal data to anyone who accessed it. He was able to trace the database back to Vietnam but could not identify exactly how the data had been accessed or what it was being used for. He said most people affected are from the United States.
Diachenko and Comparitech claimed that the data could be used for spam messaging and phishing campaigns and said they contacted the internet service provider that was hosting the database. The database is no longer available, but the data was reportedly posted to an online forum before the source was removed.
Both Comparitech and Diachenko are unclear about how criminals obtained the user IDs and phone numbers. They speculated that, “One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018.”
Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted. Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.
“Scraping” is a term used to describe a process in which automated bots quickly sift through large numbers of web pages, copying data from each one into a database. It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot. Scraping is against Facebook’s–and most other social networks’–terms of service.
