SUMMARY
The unsecured server contained over 419 Mn records of users including gender and locations in some cases
The data leak, found by researcher Sanyam Jain, also includes numbers of celebrities
Facebook claimed the leaked data set is old and no accounts were compromised
The controversy and data breaches refuse to end for Facebook. In the latest episode, phone numbers linked to hundreds of millions of Facebook accounts were found to have been left on an unprotected server, which could be accessed by anyone.
According to a TechCrunch report, the unsecured server contained over 419 Mn records of users across the globe. This comprised of 133 Mn US-based users, 18 Mn from the UK and 50 Mn from Vietnam, among others.
The data leak was found by Sanyam Jain, security researcher and member of the cybersecurity non-profit GDI Foundation, which has found such cases of poor security in the past. Jain said he had founded the numbers associated with several celebrity accounts as well, which could become a legal problem for Facebook, to add to the ones it’s currently dealing with.
These records contained the users’ unique Facebook ID alongside their phone numbers listed on the account. While it didn’t have data about the names of the users, the unique Facebook ID can be used to identify the account holder easily. Some records in the database also had other details like gender, country and location.
A Facebook spokesperson told TechCrunch that the data was scraped from Facebook, before the policy changes on the platform cut off developer access to phone numbers — whether it should have been made available in the first place is a different matter. The company also claimed the server contained about 220 Mn records.
The spokesperson added, “This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
However, Facebook didn’t access how it was scraped in the first place — user data should not be stored in a manner that allows developers to easily scrape it. The company has also not said who has managed to put up this database online — it may be an old database, but people rarely tend to change phone numbers.
Hackers can get access to user phone numbers by using Facebook’s password reset feature, which revealed the phone number linked to the account.
While the Cambridge Analytica scandal showed that Facebook didn’t really care about privacy in the past, allowing linked phone numbers to be scraped by third-parties in such a manner speaks volumes about how much it has not changed its lax attitude towards privacy, despite claiming to have done so.
Facebook has been under the scanner of various governments, governmental bodies and non-governmental organisations for high-profile controversies. Facebook-owned Instagram had also been accused of a data leak for hundreds of millions of users last month.
The most high-profile of these was the Cambridge Analytica scandal in 2018, in which the UK-based political consultancy company had mined data of over 87 Mn Facebook users through a Facebook app. This data was used to target voters in key constituencies in the US during the presidential elections and then for the Brexit vote in the UK.
