Experts have discovered an online server containing 419 million phone numbers linked to Facebook account holders, with the data stretching over several databases worldwide.
Over 133 million of the records belong to US-based Facebook members, while 18 million are from individuals living in the UK. A further 50 million records belong to account holders in Vietnam.
The absence of password protection on the server means that anyone with web access would have been able to get inside the database and lift the private information of hundreds of millions of users.
Each record held a user’s unique Facebook ID along with a phone number associated with the account. However, the numbers have not been public in over 12 months, as Facebook has locked down access to user phone numbers.
According to TechCrunch, a number of records in the database have been verified by comparing known Facebook users’ phone numbers against their listed identification number. TechCrunch also say they matched other records by checking phone numbers against Facebook’s password reset function, which can help to partly show a user’s phone number linked to the account.
Other records also had the user’s name, gender and geographic location by country.
The security lapse is one more in a series of Facebook data bungles that have come to light since the Cambridge Analytica scandal which broke in March 2018. The incident saw Cambridge Analytica harvest the personal and private details of over 80 million Facebook users in the US to conduct psychological profiling in order to create targeted ad campaigns in the run up to the 2016 presidential elections.
This latest instance of compromised data puts users at risk of receiving spam calls or of falling victim to SIM-swapping attacks which involve phone carriers being tricked into handing a victim’s phone number over to a fraudster. Once in possession of another individual’s phone number, a cyber-criminal can activate a password reset on any internet account associated with that number.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.