Over the last seven days, Facebook has admitted that it’s impossible to stop Facebook using data to connect Facebook and Instagram accounts, admitted that a technical error resulted in its Messenger Kids app introducing kids to adult strangers, and reportedly sucked up Android user’s system libraries without consent. Now a new report is indicating that hundreds of millions of Facebook user’s phone numbers have been exposed online.
TechCrunch is reporting that security researcher Sanyam Jain found an exposed server which contained 419 million Facebook user’s phone number. The server wasn’t protected with a password which means that anyone could find and access the databases on the server.
According to TechCrunch, each record in the databases found on these servers contained the user’s Facebook ID and the phone number associated with that Facebook account. In total, the database reportedly contained records for:
- 133 million US Facebook users (which suggests that 60.5% of the 220.5 million total US Facebook users have had their phone number exposed)
- 18 million UK users (which suggests that 53.5% of the 36.3 million UK Facebook users have had their phone numbers exposed)
- 50 million Vietnam user records (which suggest that all of the 43.5 million Vietnamese Facebook users have had their phone numbers exposed and that some users have had multiple phone numbers exposed)
TechCrunch adds that some of the records in the database also contained the users’:
- Location by country
Jain says some of the records in this database contained the phone numbers of celebrities.
It’s unclear who scraped this data from Facebook or when it was scraped. The database was taken offline after TechCrunch contacted the web host.
When asked for comment, Facebook spokesperson Jay Nancarrow said:
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”
The exposure of these phone numbers is yet another incident that points to the inherent security risks associated with online services storing users’ phone numbers.
Earlier today, actress Chloë Grace Moretz’s had her Twitter account hacked after an apparent SIM swap. This was the latest in a series of Twitter hacks that appears to have been the result of SIM swapping – a technique where hackers trick carriers into transferring a target’s phone number to a SIM card that they control. Since this phone number is often used as an account recovery or verification tool by online service providers, once hackers have access to the phone number, they can use it to gain access to a target’s online accounts.