Facebook’s tryst with data breaches seems to be never-ending. In yet another incident, personal data of over 267 Mn Facebook users were left exposed on the internet without a password or any other authentication.
According to a Comparitech report, security researcher Bob Diachenko, who discovered the data breach, believes that the data is most likely the result of an illegal scraping operation or a misuse of a Facebook application program interface (API) by hackers in Vietnam.
Personal data of Facebook users that were left vulnerable on the internet included a unique Facebook ID, phone number, full name, timestamp, among others. Diachenko further added that most of the affected users from the US.
Diachenko said that he notified the internet service provider managing the IP address of the server so that access could be barred, however, he later found out that the data was also available on a hacker forum for free download.
Inc42 has reached out to Facebook for clarification. The story will be updated if and when they reply.
Moreover, it is speculated that the information, which was contained in the database could have been used to conduct large-scale SMS spam and phishing campaigns, among other threats to Facebook users.
According to Diachenko, the database of Facebook users was exposed for nearly two weeks before its access was removed. The database was first indexed on December 4, 2019. On December 12, this data was posted on a hacker forum for free download. It was on December 14 when Diachenko discovered the database and immediately sent an abuse report and finally, on December 19, the database was removed from the internet.
How Was Data Leaked?
As of now, it’s been speculated that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. These APIs are used by app developers to add social features to their applications by accessing users’ profiles, friends list, groups, photos, and among others.
Diachenko says Facebook’s API might have a security loophole that allowed hackers to access user IDs and phone numbers even after the social media company restricted its access. The cybersecurity expert also raised another possibility and said that the data might have been scraped from publicly visible profile pages.
This isn’t the first time such a database has been exposed. According to a recent advisory issued by Indian cybersecurity watchdog, Indian computer emergency response team (Cert-In), malicious third-party applications have leaked personal data of Facebook and Twitter users.
Recently, Facebook’s subsidiary, WhatsApp, was also found to be involved in a data breach incident that compromised the privacy of over a dozen users, which included academicians, lawyers, journalists and activists in India.