A publicly-accessible unsecured database containing over 267 million Facebook IDs, phone numbers, full names, and timestamps was recently discovered by security researcher Bob Diachenko who also found that a copy of the database was also posted to a hacker forum.
The unsecured database was indexed by a search engine on 4th December and discovered by Diachenko on the 14th, following which he immediately notified the internet service provider managing the IP address of the server as he believed that the database was owned by a criminal organisation.
According to Comparitech who partnered with Diachenko to investigate the unsecured database, the database contained approximately 267,140,436 records that included unique Facebook IDs, phone numbers, full names, and timestamps. Each unique Facebook ID can be used to gain further knowledge about a Facebook profile and the account username.
While most of the data stored in the unsecured database belonged to US citizens, Diachenko has reason to believe that such data records were scraped or obtained by a criminal organisation located in Vietnam. Following the unearthing of the database, it was removed from public access by the ISP that managed the database's IP address.
Data stored in the unsecured database could have been obtained from Facebook's developer API
The researchers believe that there are several ways through which cyber criminals could have obtained such a large number of data records associated with Facebook profiles. They could have obtained the information from Facebook’s developer API that gives developers access to profiles, friends list, groups and photos. Until 2018, developers could also access phone numbers associated with unique Facebook profiles.
Diachenko theorizes that the criminals could have exploited a vulnerability in Facebook's API to gain access to millions of records or could have scraped them using automated bots that are capable of quickly sifting through a large number of web pages, copy data stored from such pages, and upload them to an online database.
"A database this big is likely to be used for phishing and spam, particularly via SMS. Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages," said Paul Bischoff, privacy advocate at Comparitech.
Anurag Kahol, CTO at Bitglass, says that considering that data exposed in this incident was found on a Dark Web forum, affected Facebook users are now highly vulnerable to targeted phishing and credential stuffing attacks, account hijacking, and more.
"The lasting impact is unknown and a staggering 59% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This could give cybercriminals access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result.
"All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked.
"Additionally, all companies can learn that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organisations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information," he adds.
Facebook flaw allowed developers to enjoy unrestricted access even after curbs were imposed
In October, Facebook was fined 1.6 million Turkish lira (£228,000) by Turkey's data protection authority KVKK for failing to prevent the exposure of personal data of up to 280,959 Turkish users that included names, dates of birth, and search history.
KVKK noted that personal data exposed due to the lack of oversight by Facebook included basic information such as names, phone numbers, and email addresses of 133,510 Facebook users and a lot of additional information on a further 143,974 users. These details included usernames, gender, preferred language, relationship status, dates of birth, device information, job history, training history, search history on Facebook, and details of 500 major accounts followed by each user.
The exposure of personal data of almost 281,000 Facebook users in Turkey took place between 14 and 27 September last year before Facebook introduced a patch to fix a flaw that allowed Facebook users to view detailed profile information of others.
KVKK said that the data breach occurred due to "a vulnerability caused by the interaction of the Facebook system, the Birthday Celebrator and the Video Uploader, three different features of the Facebook system".
A month later, Facebook's Director of Platform Partnerships Konstantinos Papamiltiadis admitted publicly that around a hundred app developers retained access to detailed profile information of Facebook users even though the access was restricted by the company in April last year.
"We recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended. We have since removed their access.
"Today we are also reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API, although it's likely that the number that actually did is smaller and decreased over time. We know at least 11 partners accessed group members’ information in the last 60 days," he said.