Skip to content ↓ | Skip to navigation ↓

TechCrunch reports that a security researcher stumbled across an exposed server on the internet containing databases with a total of more than 419 million records related to Facebook users.

According to TechCrunch’s reporting, each database record contains a user’s unique Facebook account ID (from which it’s possible to determine a user name) and phone numbers attached to the account. The treasure trove of data included 133 million records from US-based Facebook users, 18 million from the UK and 50 million records related to Vietnamese Facebook users.

But worst of all, with no password protection in place on the server, literally anybody with an internet connection could access the sensitive data.

Part of the exposed database. Source: TechCrunch

No one is suggesting that hackers compromised Facebook in order to collect the data. Additionally, the exposed databases were not found on servers used by Facebook itself. But in all likelihood, the data was scraped from millions of Facebook users’ profiles by a third-party, perhaps one which had created an app which connected with Facebook accounts. This data scraping was assisted no doubt by users who were not aware of what was occurring or did not understand the implications of what they were allowing.

According to a Facebook spokesperson, the exposed data was collected before Facebook restricted access to users’ phone numbers:

This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.

However, the fact that the data may have been initially collected some years ago misses the point. It’s not uncommon for people to keep the same phone number for many years, and if an online company like Facebook did not do enough to safeguard that data in the past, then it still presents a potential problem in the present and in the years to come.

Because if a criminal learns your phone number, they can get up to all kinds of mischief:

  • They can spam you with unwanted messages, which might lead to phishing sites or even malware.
  • They can call you up pretending to be a company of which you are a customer such as your mobile phone operator, for instance.
  • If you’re a particularly valuable target, a determined hacker might attempt to exploit unpatched vulnerabilities on your smartphone in an attempt to infect it with spyware or steal data.
  • They can attempt to trick your mobile phone operator into granting them ownership of your number through what’s commonly called a SIM Swap attack. Once the number has been hijacked, a criminal can reset passwords on their victims’ online accounts associated with the mobile phone number.
  • and plenty more besides…

So being able to determine the mobile phone number of a particular individual can be a valuable piece of information for a fraudster or hacker. And a database of hundreds of millions of mobile numbers would definitely be of interest to some criminals.

It’s been one revelation about poor security and privacy concerns related to Facebook after another. The company can’t seem to keep itself out of negative headlines.

Some revelations like the Cambridge Analytica debacle have raised concerns in the media, regulators and governments alike while others. It’s been the same case with other incidents, including the revelation earlier this year that over half a billion Facebook records had been left exposed on the internet (again without a password) due to the sloppy security of third-party developers seem to be quickly forgotten.

Mark Zuckerberg claimed earlier this year that he was committed to making Facebook more privacy-focused, claiming that “the future is private.” That statement was treated with some skepticism by observers, including myself, considering the social network’s sketchy history.

The unanswered question remains: regardless of whether Facebook’s claim that “the future is private” is believable or not, is it actually too late for Facebook to repair the damage already done?