Leaky Server Exposes 419M Phone Numbers of Facebook Users

Leaky Server Exposes 419M Phone Numbers of Facebook Users

Facebook is in the news again this week, this time failing to protect the private information of millions of users. A leaky server containing more than 419 million records of people across the world. This includes 133 million records from the U.S, eighteen million records from the U.K, and fifty million records from Vietnam users were exposed.

The server was left unprotected, without a password leaving it vulnerable to attack. Anyone who could find the server had easy access to the database because there was no password on the server.

It is important to note, that the database does not belong to Facebook, however, it contained Facebook data in it.

The database contained each user’s unique Facebook ID and the phone number associated with the account. Although each user’s name was not exposed in the leak, it is not hard to associate an ID number with the phone number. Further, researchers at TechCrunch found that the database also included records such as username, location, and gender

Just last year in April 2018, Facbook announced they would focus on protecting the privacy of their users, saying in a statement:

“we know we have more work to do”

Regarding this recent data leak, Facebook told Techcrunch

“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers.”

Further, Facebook tried to down play the compromise by confirming that the exposed database contained records of just 210 million users, instead of the original 419 million claimed by Techcrunch because many of the records were duplicates Security researcher, Zack Whittaker tweeted that the claim by Facebook that just 217 million users were affected shows just one of multiple databases. Tweeting:

“Facebook is under a lot of pressure to try to minimize the number of phone numbers that were exposed”

Since revelation of the leak, Facebook confirmed that they have shut the leaky server and no evidence indicating a compromise was found.

Although, the leak contained just phone numbers and Facebook ID’s, this information in the wrong hands can cause great damage. Phone numbers are associated with your online identity and if put in the wrong hands can increase the risk spam calls and of SIM-swapping. This means that malicious attackers can trick cellphone carriers into sending all incoming calls and messages can be sent to them.
So, if you are logging into an account which uses two-factor authentication, the text-based pin that is sent to your phone number will instead be sent to the attacker. Phone numbers can also be used to call services and using social engineering to trick providers into resetting/providing passwords.

What to Do When You’ve Been Hacked?
Contact LIFARS.com Cyber Incident Response Team immediately

More posts about Facebook