Recently, unsecured server exposed 419 million records of phone numbers linked to Facebook accounts. Read on to know more…
Recently, unsecured server exposed 419 million records of phone numbers linked to Facebook accounts. The exposed records included users’ unique Facebook ID and their associated phone numbers. The exposed records also included Facebook users’ names, gender, and country. Security researcher Sanyam Jain uncovered an unguarded server that was left publicly accessible without any password protection.
Repercussions
The server contained at least 419 million records linked to several Facebook users including celebrities. This meant that anyone looking for such things could find, and access, those databases. Breaking the news at TechCrunch, Zack Whittaker revealed that multiple databases across several geographies included “133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and more than 50 million records on users in Vietnam.”
This latest incident exposed millions of users’ phone numbers just from their Facebook IDs, putting them at risk of spam calls and SIM-swapping attacks, which relies on tricking cell carriers into giving a person’s phone number to an attacker. With someone else’s phone number, an attacker can force-reset the password on any internet account associated with that number.
Revelations
The security researcher who found the leaky server contacted TechCrunch to assist him in finding the owner of the database. TechCrunch reviewed the database and verified the authenticity of the records by matching a known Facebook user’s phone number against the list of exposed Facebook IDs.
Researchers noted that the records appeared to be loaded into the unprotected database at the end of last month. However, the records are old. After this, they contacted the web host and secured the database.
The TechCrunch investigation found that, as well as the phone numbers and Facebook IDs, some of the records in these unsecured databases also contained the “user’s name, gender and location by country.” It is unknown at this time who the databases belonged to, or how the Facebook data was obtained. The server was not a Facebook one, however.
Damage Control
A spokesperson for Facebook, Jay Nancarrow said that the exposed records are old and had been scraped before Facebook disabled access to user phone numbers. “This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised,” Nancarrow said, TechCrunch reported.
This latest data exposure is the most recent example of data stored online and publicly without a password. Although often tied to human error rather than a malicious breach, data exposures nevertheless represent an emerging security problem.
