Database of 419 Million Facebook User’s Phone Numbers Exposed
A database filled with hundreds of millions of user phone numbers has been exposed in a report from TechCrunch that found that details of as many as 419 million Facebook users were openly accessible on a non-password protected database.
The discovered server was host to 419 million records on 133 million U.S.-based users, 18 million users in the U.K., and 50 million Vietnamese users. The owner of the database is yet to be determined, and the server was taken down shortly after TechCrunch contacted the website’s host.
“Each record contained a user’s unique Facebook ID and the phone number listed on the account,” according to the report. “A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username.”
Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.” - Mike Schroepfer, Facebook CTO.
However, as Zack Whittaker explains, “phone numbers have not been public in more than a year since Facebook restricted access to users’ phone numbers.”
TechCrunch was able to verify parts of the database through matching a known user’s number to the listed Facebook ID. “We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account.”
Facebook’s spokesperson, Jay Nancarrow says that the data had been accessed before Facebook made it impossible to access user phone numbers. “This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” he said. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
According to The Guardian’s Julia Carrie Wong, “Facebook confirmed the report and said it was investigating when and by whom the database was compiled. A spokesperson for the company also claimed that the actual number of users whose information was exposed was approximately 210 million,” because of duplicate accounts.
Wong continued to explain that “the records were likely amassed using a tool that Facebook disabled in April 2018 in the aftermath of the Cambridge Analytica controversy. The revelations showed how Facebook’s lax approach to privacy had allowed a political consultancy to obtain personal information from tens of millions of profiles.”
Facebook’s chief technology officer, Mike Schroepfer has previously published a blog post on Facebook restricting access to third parties, adding that “malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search… Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.”