A security researcher recently discovered an unsecured web server that contained more than 419 million phone numbers that are associated with Facebook accounts of millions of people from all over the globe, including 18 million records belonging to UK residents.
Each of the over 419 million data records stored in the web server contained unique Facebook IDs and associated phone numbers of millions of Facebook users. Some of those data records also contained additional details such as names, gender, and locations of users.
According to Tech Crunch who independently verified that phone numbers listed in the database did belong to real people, if malicious actors gained access to the unsecured web server, they could use phone numbers and other information stored in the server to send spam texts to Facebook users or carry out SIM-swapping attacks.
Only 220m data records were exposed, claims Facebook
While access to the unsecured server was restricted after the web host was informed about the exposure, Facebook told Tech Crunch that the actual number of data records exposed via the unsecured server was only 220 million and not around 419 million.
"This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised," said a company spokesperson.
"That a significant cache of private data could be compiled and stored completely exposed should be worrying for both Facebook and its users. It shows that Facebook probably doesn't yet have a good handle on where all this data is, how it's being used both internally and by partners, and where it might be exposed. It also took a third party to alert them, meaning they didn't have the tools to identify it themselves," said Brian Vecci, Field CTO at Varonis.
Eoin Keary, CEO and co-founder of edgescan, said that the exposure of millions of phone numbers belonging to Facebook users from across the globe is not a technology issue but rather a process and procedure problem.
"Securing a server once it’s known to require maintenance and configuration is easily done, but visibility is key. Data such as phone numbers may require encryption if it can be cross-referenced with personally identifiable information such as emails, names, and addresses. The root cause of this issue is lack of procedure in relation to tracking digital assets and applying the appropriate security," he said.
Facebook stored up to 600m user passwords in plain text for years
The discovery of the unsecured web server containing up to 419 million data records is the second such major data exposure involving Facebook this year. In March, security researcher Brian Krebs found that passwords of between 200 million and 600 million Facebook users were stored in plain text on internal Facebook servers for years, indicating major data protection failures on part of the global social media giant
A senior Facebook employee told Krebs that a number of employee-built applications logged unencrypted passwords of millions of Facebook users and stored them in plain text on Facebook's internal servers. Over 20,000 Facebook employees who had access to these servers could view these passwords anytime they wanted. In fact, around 2,000 developers or engineers "made approximately nine million internal queries for data elements that contained plain text user passwords," the source said.