An unprotected online server has exposed more than 419 million phone numbers linked to Facebook accounts, potentially putting users at risk of cyberattacks.
The exposed Facebook phone numbers affect largely US users, as well as users in the UK and Vietnam. Each phone number was linked to a user’s unique Facebook ID.
TechCrunch said it verified “a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID”.
Some exposed records included Facebook users’ names, genders and locations by country. It is unclear why the database was online and who had ownership of it. It was taken down after TechCrunch contacted the web host.
In a statement to TechCrunch, Facebook spokesperson Jay Nancarrow said:
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”
However, Joseph Carson, chief security scientist & advisory CISO at Thycotic, said:
“The statement from Facebook downplaying the significance of the data breach is an attempt to reduce accountability by stating that the data is old. However, this does not make any difference when such data does not change meaning that while old, it is very likely to be still accurate and valid.”
Security risks of exposed Facebook phone numbers
Cybersecurity experts warned of the dangers of the exposed Facebook phone numbers falling into the wrong hands, such as SIM jacking and an increase in robocalls, as well as cybercriminals sending malware via WhatsApp or SMS to the compromised numbers.
SIM jacking, which involves hackers tricking phone operators into giving them control of another person’s phone number, was recently used to compromise the Twitter account of Twitter CEO Jack Dorsey.
“While SIM jacking attacks are currently on the increase, this latest breach should in no way be shrugged off and overlooked,” said Jake Moore, cybersecurity specialist at security firm ESET.
“Having phone numbers leaked is a huge deal and when linked to an online account, the repercussions could potentially be catastrophic.”
Richard Walters, CTO of Censornet, added: “The main data set that has been leaked contains phone numbers, and in some cases Facebook ID, user name, gender and location by country were also exposed. Although these details may not seem that sensitive on the surface, they actually provide cybercriminals with a head start for carrying out fraudulent activity and identity theft.”
Experts recommended using an authenticator app instead of relying on SMS to verify their account.
“Using an app for 2FA, like Google authenticator, is a good idea,” said Walters.
Moore added: “Authenticator apps are free and far more secure when wanting to protect an account. And whilst they are at it, they should also consider changing all of their accounts, where possible, to app-based authenticators or a hardware security key form of verifying. These encrypt a one-time code sent over the network and stop any prying eyes from easily stealing your profile or even identity.”
The exposed Facebook phone numbers is the latest in a long line of privacy scandals involving the social media giant, starting with the Cambridge Analytica scandal and including a password breach and data leaked via a third party on an unsecured Amazon Web Service server.