Over 267 million Facebook users had their names, phone numbers, and profiles exposed thanks to a public database, researcher says
- An online database exposed the names, Facebook ID, and phone numbers of more than 267 million people, according to data security researcher Bob Diachenko and Comparitech.
- The database was available online without a password, exposing the sensitive personal data to anyone who accessed it.
- Diachenko traced the database back to Vietnam but could not identify exactly how the data had been accessed or what it was being used for. According to Diachenko, the majority of the people impacted are from the United States.
- Diachenko and Comparitech speculated that the data could be used for spam messaging and phishing campaigns and contacted the internet service provider that was hosting the database.
- The database is no longer available but the data was reportedly posted to an online forum before the source was removed.
- Visit Business Insider's homepage for more stories.
Cybersecurity researchers are reporting that more than 267 million Facebook users had their personal data exposed by an online database that collected their names, Facebook IDs, and phone numbers. The database was available online without a password to anyone who accessed it for about two weeks, according to Comparitech and data security researcher Bob Diachenko.
Diachenko said records belonging to 267,140,436 people were exposed, and most of the people impacted are from the United States. People who are identified in the database could be targeted by spam messages or other scam attempts using their name and phone number.
Facebook did not immediately respond to a request for comment.
The database first appeared online on December 4. On December 12 the data was shared publicly on a forum for hackers. Believing the database was a part of a criminal enterprise, Diachenko says he reported it to the internet service provider on December 14. As of today the database is no longer available online, but that doesn't necessarily mean that the exposed data wasn't copied elsewhere.
To avoid having their information taken from their profile, Comparitech recommends that Facebook users change their privacy settings to only allow friends to see their posts and enable to setting to omit their profile from search engine results.
Diachenko traced the database to Vietnam, but couldn't specify exactly how the information had been obtained. Comparitech said the database could have stolen the information from Facebook's developer API, which shares some sensitive information with app creators.
However, Facebook removed phone number information from its API in April 2018 following the Cambridge Analytica scandal. That would mean that the numbers included in the database are more than 18 months-old. Alternatively, the creators of the database could have used automated bots to pull the information from publicly visible Facebook pages.
Facebook has been overhauling its approach to user data in the aftermath of the Cambridge Analytica scandal. In 2015, Cambridge Analytica created a basic personality quiz for Facebook and used its access to Facebook's developer API to obtain the personal data of 87 million Facebook users. The company then used that information to create voter profiles for Donald Trump's presidential campaign and the pro-Brexit Leave campaign.
Following an investigation by the Federal Trade Commission, Facebook was fined $5 billion for mishandling user data and the settlement agreement imposed new regulations on the social media platform earlier this year.