According to a report from Comparitech, around 267 million Facebook user names and phone numbers were left exposed on a web server with not even a password to prevent unauthorized access. This isn’t the first time this has happened. In September, a researcher found the personal information of over 400 million Facebook accounts from all over the world stored on an unsecured web server. Luckily, that dataset turned out to be old and there’s no evidence that it was used to compromise any accounts.
Comparitech along with security researcher Bob Diachenko uncovered the new treasure trove for data thieves, which was stored on an Elasticsearch cluster. Diachenko suspects it was obtained through an illegal scraping operation in Vietnam that abused a Facebook API.
The resulting dataset could be used in SMS spam and phishing campaigns, and it was online between December 4 and December 18. It appears that most of the user IDs, phone numbers, and names belong to US Facebook accounts, and were allegedly shared on a hacker forum.
A Facebook spokesperson said the company is investigating the report, and reiterated that this may be another old dataset from 2018 when developers were able to access too much information from publicly visible profile pages. The company restricted access after the Cambridge Analytica scandal.
One way to protect yourself is to make sure that only friends have access to your profile picture, your details, and what you post on your wall. Also, make sure the option “Do you want search engines outside of Facebook to link to your profile” is set to “no” as this is one of the things that facilitated the Elasticsearch scraping.
