Pierluigi Paganini December 19, 2019

Security researcher Bob Diachenko discovered more than 267 million Facebook user IDs, phone numbers and names in an unsecured database.

Security expert Bob Diachenko, along with Comparitech, has discovered more than 267 million Facebook user IDs, phone numbers and names in an unsecured database.

The huge trove of data is likely the result of an illegal scraping operation or Facebook API abuse by a group of hackers in Vietnam. The exposed data could be used by threat actors to conduct large-scale SMS spam and phishing campaigns.

“A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication.” reads the post published by Comparitech. “Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster.

In total the archive contained 267,140,436 records, most of the affected users were from the United States.

Diachenko also discovered that the server included a landing page with a login dashboard and a welcome note in Vietnamese language.

Diachenko discovered the unsecured database on December 14, but it was first indexed on December 4, unfortunately, the Facebook information was posted on a hacker forum since December 12.

On December 14, the expert sent an abuse report to the ISP managing the IP address of the server and on December 19 the database was shut down.

At the time it is not clear how hackers obtained the data, Diachenko believe that there are to possible scenarios.

In the first scenario, attackers could have exploited Facebook’s API used by developers to access data (i.e. Friends list, photos, and groups). This was possible only before Facebook implemented the restrictions to the access to user phone numbers in 2018, alternatively, the attackers might have exploited a security hole. Criminals could have also scraped information from public Facebook profiles using automated tools. 

In September 2019, other databases containing 419 million records were exposed, the huge trove of data included phone numbers and Facebook IDs.

A Facebook spokesman confirmed that in a statement that the company is investigating into the case, but the information was likely harvested before 2018.

Pierluigi Paganini

(SecurityAffairs – privacy, Facebook)

[adrotate banner=”5″]

[adrotate banner=”13″]