Facebook is dealing with yet another data leak, this time involving 419 million user phone numbers.
An exposed server has been found to contain 419 million Facebook IDs and phone numbers, with 133 million records belonging to US based Facebook users, 18 million to those in the UK, and more than 50 million records on users in Vietnam, technology website TechCrunch reports. Reportedly, some of the records also had users’ names, gender and location by country. The database was not password protected, meaning anyone could find and access it. The database was taken offline after TechCrunch contacted the web host.
The social media giant has confirmed the report but claim the actual number of exposed records was 210 million because the 419 million records contained duplicates. However, security editor Zach Whittaker who broke the story denies the claim and says there is little evidence of duplication.
The database containing data of Facebook users did not belong to Facebook. It is still unknown who the server belonged to or how they managed to obtain the data exactly. However, it is likely that the data was complied using a now disabled tool that allowed anyone to search for users by their phone number. The feature was disabled shortly after the Cambridge Analytica scandal.
According to Facebook spokesperson Jay Nancarrow, the data was scraped before Facebook cut off access to user phone numbers last year.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said in a statement to TechCrunch.
The database has since been taken down, and according to Facebook there is no evidence that Facebook accounts were compromised. It is not yet known whether Facebook will inform affected users about the incident.
Facebook has been dealing with similar incidents left and right ever since Cambridge Analytica. In September, 2018, a major breach exposed data of 50 million Facebook users, and in March, 2019 Facebook admitted that millions of Facebook lite and Instagram users had their passwords stored in plain text.
Why exposing users phone numbers is so dangerous
Exposing phone numbers could mean users are now at risk of SIM-swapping attacks. Malicious parties could take over the phone number by tricking cell carriers, and reset account passwords as well as bypass two-factor-authentication. Recently, Twitter CEO Jack Dorsey was a victim of a SIM-swapping attack, which led to his Twitter account being hijacked.
Many security specialists will advise users to not provide their phone numbers to any online services, unless absolutely necessary. Furthermore, because SIM-swapping attacks are becoming increasingly more common, using an authenticator app or a hardware security key would be much safer for two-factor-authentication.