TechCrunch has the report this week, detailing how a server was not protected in the way that it should have been and, as a result, phone numbers linked to Facebook accounts were leaked online. According to the report, the server was not protected by a password, which made it accessible to anyone.
As a result, there was access to hundreds of millions of phone numbers from Facebook users, up to 419 million. In the United States alone there were 133 million records. 50 million records were discovered from Vietnam Facebook users, 18 million records came from users in the United Kingdom.
The phone number was not the only sensitive data included on the server, as each account also included the unique Facebook ID as well.
The exposed server contained over 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.
But because the server wasn’t protected with a password, anyone could find and access the database.
Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username.
However, it is worth noting that it has been over a year since Facebook restricted access to phone numbers. As a result, this particular server dated beyond that, and Facebook even states that the dataset present on the server was old:
This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.
Storing data in this way is not unheard of, unfortunately. This particular issue can put individuals with exposed phone numbers into risk of getting even more spam calls than they might already be receiving. What’s more, SIM-swapping attacks, which can make it possible for someone to trick a carrier to giving a nefarious individual someone else’s phone number, is also possible.
This isn’t necessarily a huge breach, but it does show just how important it is to lock down these servers where potentially sensitive information can be stored. Leaving it open in this way, without a password present, is very risky.