LOS ANGELES - Hundreds of millions of phone numbers linked to Facebook accounts have been discovered in an exposed online database, TechCrunch reports.
Each record within the exposed server held a user’s unique Facebook ID — a long string of numbers assigned to each user of the platform — and the phone number associated with that user’s account.
Several databases were contained within the exposed server, which held records of more than 419 million accounts. Among them were 133 million records of Facebook users in the U.S., 18 million records of users in the U.K. and more than 50 million records of users in Vietnam.
What’s more — the server wasn’t protected by a password, so anyone could find the database and easily access its contents.A Facebook spokesperson told TechCrunch that the company has not found any evidence to suggest that Facebook accounts were compromised. But the exposed data could put users at risk of spam calls and SIM-swapping attacks, which can be carried out when an attacker convinces a cell carrier to assign another person’s phone number to their device. This gives the attacker the capability to force-reset the password on any account which is registered to the stolen phone number.
The database was discovered by Sanyam Jain, a security researcher and member of the GDI Foundation, who was able to find profiles with phone numbers linked to several celebrities within the database. He passed the database along to TechCrunch after being unable to determine its owner.
“After a review of the data, neither could we,” wrote Zack Whittaker of TechCrunch. “But after we contacted the web host, the database was pulled offline.”
TechCrunch was able to verify some records within the database by matching a known Facebook user’s phone number with their listed unique Facebook ID. They also checked records related to unknown Facebook users by matching phone numbers from the records against Facebook’s password reset feature, which partially reveals a user’s linked phone number.
In some cases, the records contained additional personal information, such as the user’s name, gender and/or location.In April of last year, Facebook announced that it would be restricting data access on the platform, including access to users’ phone numbers.
A spokesperson for Facebook told TechCrunch that the data discovered in the database must have been scraped from Facebook before the restrictions went into place.
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson told TechCrunch. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”