Experts Dots On Massive Database Of Facebook Users’ FB IDs And Phone Numbers Found Online – On An Unprotected Server

TechCrunch is reporting Huge database of Facebook users’ phone numbers found online. Here’s the news brief (we’ve added the bold typeface for emphasis):

Hundreds of millions of phone numbers linked to Facebook  accounts have been found online. The exposed server contained over 419 million records over several databases on users across geographies, including 133 million records on US-based Facebook users, 18 million records of users in the UK and another with more than 50 million records on users in Vietnam. But because the server wasn’t protected with a password, anyone could find and access the database.

Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username. But phone numbers have not been public in more than a year since Facebook restricted access to users’ phone numbers.

TechCrunch verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID. We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account. Some of the records also had the user’s name, gender, and location by country.


EXPERTS COMMENTS
Dr Guy Bunker, CTO,  Clearswift
September 16, 2019
Social media companies must know what data they collect – not just today, but in the past.
What this really shows is that all too often large companies have little or no idea as to where all their critical information is. Over the years, it has been collected and stored in different locations, and while some people know about some of it, the people who should know, don’t. Without the understanding of what critical information is held and where the ability to protect it becomes impossi ....
[Read More >>]
Sam Curry, Chief Security Officer,  Cybereason
September 06, 2019
Create a senior post to own privacy, staff it and back it.
Facebook Privacy, an oxymoron or the gift that keeps on giving? The latest exposure appears to be of old data, and comes after Facebook improved security by disallowing people to be searched using their phone numbers. It is likely, however, that more databases like this one could be discovered in the future and Facebook user-related information could continue to seep into the wild. Data in genera ....
[Read More >>]
Stuart Reed, UK Director,  Orange Cyberdefense
September 06, 2019
This is particularly important when enterprises go through digital transformation and begin to make significant infrastructure changes.
The leak of 419 million Facebook records demonstrates the personal privacy risks of placing confidential information online – once your data is exposed, it’s out there, it’s ripe for use by cyber criminals, and you can’t get it back. In the virtual world your information can travel far wider than it might in the physical world, as it can be distributed and replicated so easily. That means ....
[Read More >>]
Eoin Keary, CEO and Cofounder,  Edgescan
September 06, 2019
This is not a technology issue but rather a process and procedure problem.
This is not a technology issue but rather a process and procedure problem. Securing a server once it’s known to require maintenance and configuration is easily done, but visibility is key. Data such as phone numbers may require encryption if it can be cross referenced with personal identifiable information such as emails, names and addresses. The root cause of this issue is lack or procedure in ....
[Read More >>]
Richard Walters, CTO ,  Censornet
September 06, 2019
Using an app for 2FA, like Google authenticator, is a good idea.
This is not the first data privacy scandal that has hit Facebook - but that should not detract from the scale of this breach. With 419 million phone numbers exposed, the volume of this data leak is huge. The main data set that has been leaked contains phone numbers, and in some cases Facebook ID, user name, gender and location by country were also exposed. Although these details may not seem tha ....
[Read More >>]
Tim Mackey, Principal Security Strategist,  Synopsys CyRC
September 06, 2019
It’s important to recognise that the owner of this database was not identified.
It’s important to recognise that the owner of this database was not identified, which means that answering how information relating to Facebook accounts was collected isn’t immediately available. It’s also important to recognise that upon learning of the exposed data, the company hosting the data removed access. These realities are of course only marginally comforting to those seeking to lim ....
[Read More >>]
Eyal Wachsman, CEO ,  Cymulate
September 06, 2019
This reflects badly on the way Facebook manages the access to its data and the way that it is transferred.
Even though this data is a year old, as Facebook representatives claim, it is still of value and users are at risk. As mentioned, the owner of the server has not been found and few causes could have led to such a server be left exposed online. Whether the server was used by Facebook employees for operational aspects such as testing, or a rogue insider trying to exfiltrate the data out, personal id ....
[Read More >>]
Dmitry Kurbatov, CTO ,  Positive Technologies
September 05, 2019
This particular data leak is huge in volume (419 million), but the information in each user record is not that detailed.
This attack should serve to remind us that even the largest companies companies can fail to secure data. Companies and consumers are very quick in the creation and adoption of new technologies and services but often they fail to protect themselves from the most basic attacks. In terms of the damage that could be done - the more a hacker knows about you the more powerful he is. For instance, if ....
[Read More >>]
Jake Moore, Cybersecurity Specialist,  ESET
September 05, 2019
Authenticator apps are free and far more secure when wanting to protect an account.
While simjacking attacks are currently on the increase, this latest breach should in no way be shrugged off and overlooked. Having phone numbers leaked is a huge deal and when linked to an online account, the repercussions could potentially be catastrophic. Whether Facebook users were caught up in this breach or not, they should seriously consider using an authenticator app, rather than their ph ....
[Read More >>]
Paul Bischoff, Privacy Advocate,  Comparitech
September 05, 2019
The lattermost could allow an attacker to hijack a user's account by bypassing two-factor authentication.
The exposure of this database puts millions of Facebook users at risk of spam, harassment, and SIM swap fraud. The lattermost could allow an attacker to hijack a user's account by bypassing two-factor authentication. By moving an existing phone number to a new SIM card, an attacker will receive the PIN number sent to the user's phone via SMS when logging in. ....
[Read More >>]
Jonathan Bensen, CISO,  Balbix
September 05, 2019
Companies are tasked with the hefty burden of continuously monitoring all assets across hundreds of attack vectors.
This exposure is the latest in a string of security and privacy incidents involving Facebook. Armed with phone numbers, a threat actor can hijack accounts associated with that number by having password reset codes sent to the compromised phone as well as attempt to trick automated systems from victims’ banks, healthcare organizations, and other institutions with sensitive data into thinking the ....
[Read More >>]
Erich Kron, Security Awareness Advocate,  KnowBe4
September 05, 2019
It is important for people to regularly check websites, such as Have I Been Pwned
This is an unfortunate situation where, although the issue that led to a previous data breach was fixed, the impact of the issue has continued to cause serious problems. The data involved here can be very valuable to attackers, as it contains individuals' unique Facebook ID and phone number. Because people often share very personal information on social media platforms, scammers can use the ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article