Phone numbers of 419 million Facebook users found online in exposed database

No password was used to protect the exposed server, which contained phone numbers and more of hundreds of millions of Facebook users

Millions of phone numbers associated with Facebook users have been found online in an unsecured database.

The database contained the phone numbers of more than 419 million Facebook users from across the world and included the real name, country and gender for many users.

The records leaked included 133 million records on Facebook users from the US, 18 million records associated with UK users - which will invite an investigation by the Information Commissioner's Office (ICO) under GDPR - and another 50 million records on users in Vietnam.

No password was used to protect the exposed server. TechCrunch said it verified some of the phone numbers existing in the database by matching known Facebook users' phone number against their listed Facebook ID.

The database was spotted by Sanyam Jain, a security researcher and a member of the GDI foundation, according to TechCrunch.

Facebook claimed that the exposed data set was old and likely obtained before the company scrapped the feature that enabled Facebook users to find other people on Facebook using their phone numbers. The feature was shut down in April 2018.

According to Facebook, the feature was being abused by "malicious actors" to collect information on Facebook users.

"Malicious actors have abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery.

"Given the scale and sophistication of the activity we've seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature," Facebook's Chief Technology Officer Mike Schroepfer wrote at that time.

Facebook claimed there was no evidence of Facebook accounts being compromised due to the leak. It added that the database contained many duplicate records, which meant the number of users impacted by the leak was roughly half of the number being reported.

The exposed database was taken offline after the web host was notified about the database. Facebook said that it was launching an investigation into the matter.

Nevertheless, it is another worrying incident for the company in a series of major data breaches.

In March, security researcher Brian Krebs claimed that a series of data protection failures by Facebook led to between 200 million and 600 million passwords being stored in plain text. Krebs said that those passwords were readable by 12,000 employees, and the practice had stretched back as far as 2012.

In May, data for about 49 million Instagram users was found to have leaked online.

In July, Facebook was fined $5 billion by the US Federal Trade Commission for violating a 2012 settlement by sharing users' data with political consultancy Cambridge Analytica. The FTC opened its investigation in March 2018 following claims that data from approximately 87 million Facebook users had been acquired by Cambridge Analytica.