A database of more than 419m phone numbers linked to Facebook accounts has been discovered online, making it one of the largest data breaches in 2019 to date.
The server contained records over several global databases, including 133m records from US-based Facebook accounts, 18m from UK users and 50m from users based in Vietnam.
The server was reportedly not password protected and therefore could be found and accessed by anyone.
Each record contained a user’s phone number and unique Facebook ID, which is a public number that can be used to discern an account’s username. Some of the records also contained users’ real names, genders and locations by country.
A security researcher and member of the GDI Foundation, Sanyam Jain, discovered the database and reached out to TechCrunch after he was unable to find the owner. TechCrunch then conducted its own research and verified a number of records in the database by matching numbers against users’ listed Facebook IDs.
Jay Nancarrow, a spokesperson for Facebook said the data was scraped before Facebook cut off access to user phone numbers.
“The data set has been taken down and we have seen no evidence that Facebook accounts were compromised,” he told TechCrunch.
Having phone numbers leaked can leave affected users open to spam calls and even SIM-swapping attacks. This is when cybercriminals convince mobile carriers to transfer a person’s phone number to that of the attacker's. From there, attackers can infiltrate any accounts that are verified by phone numbers, including bank and PayPal accounts.
Joseph Carson, chief security scientist at cybersecurity firm Thycotic, told Silicon Republic: “The statement from Facebook downplaying the significance of the data breach is an attempt to reduce accountability by stating that the data is old. However, this does not make any difference when such data does not change, meaning that while old, it is very likely to be still accurate and valid.
“It is important to acknowledge that data breaches are bad and that the company is taking the right steps to ensure the victims are informed if their data was impacted, along with what actions they are doing to prevent abuse of that data. Facebook is becoming the opposite of privacy and security.”
Source: Silicon Republic
