[BreachExchange] Huge Facebook leak exposes 400 MILLION users' phone numbers in latest privacy lapse

Destry Winant destry at riskbasedsecurity.com
Fri Sep 6 10:30:31 EDT 2019


Phone numbers linked to more than 400 million Facebook accounts have
been posted online in the latest security disaster for the firm.

According to TechCrunch, 133 million US accounts, more than 50 million
in Vietnam, and 18 million in Britain were among 419 million records
left in an open online server that was not secured with a password.

This includes, according to the person who unearthed the database,
profiles and phone numbers of some celebrities.

Facebook has confirmed the report, but said the total number is likely
to be around half because of duplicate entries.

This latest issue is thought to be from publicly available information
previously used to allow people to search for others by using their
phone number, which was disabled in April 2018 in response to the
Cambridge Analytica scandal.

It is claimed that the server listed some accounts and their
geographical locations, with a user's unique Facebook ID stored
alongside their phone number, as well as their gender.

The implications of the haul mean people were exposed to potential
fraud attempts.

Including, spam calls and SIM-swapping attacks where criminals try and
get hold of more personal details by deceiving carrier firms.

The server was not password protected, meaning anyone could access the

It remained online until late Wednesday when TechCrunch contacted the
site's host.

Facebook confirmed parts of the report but downplayed the extent of
the exposure, saying that the number of accounts so far confirmed was
around half of the reported 419 million.

Sanyam Jain, a security researcher and member of the GDI Foundation,
first discovered the database.

The owner was unable to be found by either him or TechCrunch but it
was taken offline when the web host was informed.

It added that many of the entries were duplicates and that the data was old.

'The dataset has been taken down and we have seen no evidence that
Facebook accounts were compromised,' a Facebook spokesperson told AFP.

As the database has now been taken offline, there is no way for
concerned users to find out if their information was leaked.

Sites like HaveIBeenPwned are good ways of checking details against
all known leaks, but is not a bulletproof method.

Kate Bevan, Which? Computing Editor, said: 'Facebook has taken
positive steps to tighten security since this breach but it will still
worry users that millions of phone numbers could make it into the
hands of criminals - leaving them open to being targeted by
cold-calling, fraudsters and other scams.

'If you've uploaded your phone number to Facebook at any point, it's
worth being extra-vigilant about calls claiming to be from tech
support warning that your computer or router is compromised and other
unexpected cold callers.

'Facebook must also reassure users that their data is being properly
protected following this confirmation.'

Following the 2018 Cambridge Analytica scandal, when a firm used
Facebook's lax privacy settings to access millions of users' personal
details, the company disabled a feature that allowed users to search
the platform by phone numbers.

The exposure of a user's phone number leaves them vulnerable to spam
calls, SIM-swapping - as recently happened to Twitter CEO Jack Dorsey
- with hackers able to force-reset the passwords of the compromised

In July, the Federal Trade Commission announced that it had agreed a
settlement with the social media giant which would see it pay a £4
billion fine and introduce a number of new audits into its business
that would ensure privacy and data protection is in place.

More information about the BreachExchange mailing list