More than 267 millions of Facebook user phone numbers exposed online

Security researcher Bob Diachenko discovered more than 267 million Facebook user IDs, phone numbers and names in an unsecured database.

Security expert Bob Diachenko, along with Comparitech, has discovered more than 267 million Facebook user IDs, phone numbers and names in an unsecured database.

The huge trove of data is likely the result of an illegal scraping operation or Facebook API abuse by a group of hackers in Vietnam. The exposed data could be used by threat actors to conduct large-scale SMS spam and phishing campaigns.

“A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication.” reads the post published by Comparitech. “Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster.

In total the archive contained 267,140,436 records, most of the affected users were from the United States.

Diachenko also discovered that the server included a landing page with a login dashboard and a welcome note in Vietnamese language.

Diachenko discovered the unsecured database on December 14, but it was first indexed on December 4, unfortunately, the Facebook information was posted on a hacker forum since December 12.

On December 14, the expert sent an abuse report to the ISP managing the IP address of the server and on December 19 the database was shut down.

At the time it is not clear how hackers obtained the data, Diachenko believe that there are to possible scenarios.

In the first scenario, attackers could have exploited Facebook’s API used by developers to access data (i.e. Friends list, photos, and groups). This was possible only before Facebook implemented the restrictions to the access to user phone numbers in 2018, alternatively, the attackers might have exploited a security hole. Criminals could have also scraped information from public Facebook profiles using automated tools.

In September 2019, other databases containing 419 million records were exposed, the huge trove of data included phone numbers and Facebook IDs.

A Facebook spokesman confirmed that in a statement that the company is investigating into the case, but the information was likely harvested before 2018.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – privacy, Facebook)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.