Well, this is a regular occurance, isn’t it? Over 267 million Facebook users names and phone numbers have been exposed online in a database stored on the web with no password protection.
This is the second time in less than 6 months something like this has happened with Facebook user info, as over 400 million Facebook records were exposed back in September.
It doesn’t appear that it was negligence on Facebook’s part in this breach, at least not directly:
Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.
The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users.
Diachenko immediately notified the internet service provider managing the IP address of the server so that access could be removed. However, Diachenko says the data was also posted to a hacker forum as a download.
The user names database was online from at least December 4th to 18th.
The report says the criminals were able to access the data by exploiting a Facebook security flaw, or it may have grabbed the data by simply scraping data from those who have their Facebook profile set to public.
How criminals obtained the user IDs and phone numbers isn’t entirely clear. One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018.
Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted.
Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.
“Scraping” is when automated bots quickly work through large numbers of web pages, copy data from each one into a database. If a Facebook user has their profile visibility set to public, Facebook can do little to prevent that information from being scraped.