A cybersecurity company reported recently to have found on the Internet an unsecured Facebook user database containing the names, phone numbers, and unique Facebook IDs of over 260 million people, mostly US users. Currently shut down, the database has been set live on December 4, 2019, and remained exposed to unprotected access for two weeks.
Cybersecurity firm Comparitech and researcher Bob Diachenko published the report in December 2019. It is still not known how exactly the sensitive data has been exposed, yet the researchers could trace it back to Vietnam. One of the possibilities is that the database has been compiled through a process known as “scraping.” This method of data collection is illegal and involves the copying of public information from Facebook profiles through the use of automated bots. Another speculation about the emergence of the database is that the user details could have been stolen directly from Facebook's developer API, before Facebook removing phone number information from their API in April 2018.
Potential damage to affected Facebook users could be severe as the records have been freely available to anyone without the need for a password or any other authentication for two weeks. Furthermore, the data has been shared on the dark web through a downloadable link to it posted on one of the big hacking forums.
According to Diachenko, access to the database has been removed immediately after discovery, yet copies could exist anywhere on the web. Facebook officials confirmed the security accident but stated that the information had probably been obtained before the company's recent measures towards improved protection of user data. Yet, Diachenko and Comparitech claim that there could still be a security hole in Facebook's developer API that would allow unsolicited access to Facebook IDs and phone numbers.
Individuals whose personal information has been exposed should expect to become a target for phishing campaigns, spam messages, and other fraudulent online schemes. Given the past security issues that Facebook has experienced over the past two years, experts advise users to tighten their security settings by reducing the amount of publicly visible private information in their profiles. That should reduce the risk of exposure in case future data breaches take place.