Facebook seems to be breaking its own records lately. Moving up from their previous record of one data breach per month, they just clocked in their second. Just in time for the holiday season!
Five days ago, security researcher Bob Diachenko discovered a database containing 267 million phone numbers obtained from Facebook.
He concluded that this database was first indexed (or discovered by web crawlers) on the fourth of December. On the 12th, it was posted on a hacker forum for anyone to download. This was two days before he discovered it. He immediately reported it to the ISP managing the server’s IP address.
Yesterday, the ISP took action and removed the database, after being online for at least two weeks, available for anyone to download without any encryption or authentication required.
Most of the 267,140,436 records seem to belong to users from the United States. These records include a unique Facebook ID and a full name corresponding to each phone number. Diachenko says that they all seem valid.
Facebook responded by issuing a statement. “We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information.”
Diachenko agrees with the possibility raised in Facebook’s statement, but also suggests that Facebook’s API could still have an open security hole. He also believes it’s possible that the data was simply collected from publicly visible profile pages. That said, we’re all well aware of Facebook’s track record at this point.
What does this mean for you? Well, probably not a whole lot. If you do start receiving more spam or phishing SMS and phone calls, you’ll know why. Just be extra careful if they ask for banking information or security codes.
On the off chance that this data was indeed scraped from public profiles, it would be a good idea to lock down the personal information you’ve added to your Facebook account using their privacy settings. For the more privacy-conscious, this is yet another reason to delete their Facebook accounts entirely, or at least stop sharing personal information on it.