An exposed server on the web was found leaking the data of hundreds of millions of Facebook users. First reported by TechCrunch, the exposed server was discovered by security researcher Sanyam Jain who said that the database contained phone numbers of some celebrities as well.
Along with contact numbers, the database also contained Facebook IDs and in some cases names, countries, genders of users. The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.
However, the exposed server doesn’t belong to Facebook and the database wasn’t password-protected either.
Earlier, it was known that phone numbers of around 419 million Facebook users were leaked. But Facebook discarded that allegation and said that the number of affected users is nearly half of what is being claimed, as much of the database is duplicate information.
The company told Engadget that the data present on the server is old and the information present on it was scrapped before Facebook cut off the feature that allowed its users to be found by their phone numbers.
It’s still not known who harvested all that data and how it ended up on the server. This time there isn’t any Cambridge Analytica or an app “for research purposes” that tricks Facebook users into giving away their data. Facebook said it has taken down the database and hasn’t found evidence of any user account being compromised.
Still, it could be the case that at least some users might still be using the same phone number. In today’s time, it isn’t rocket science for malicious actors to take advantage of exposed phone numbers to do evil things not just on Facebook but elsewhere. Also, the database contains Facebook IDs – a unique number tied to a Facebook account – which can also be used to trace back to the users.
Facebook spokesperson Jay Nancarrow said the data had been scraped before Facebook cut off access to user phone numbers.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
Facebook later claimed the server contained “about 220 million” records.
But questions remain as to exactly who scraped the data, when it was scraped from Facebook and why.