Database leak exposed phone numbers belonging to a huge number of Facebook members

Facebook was fined $5 billion by the Federal Trade Commission (FTC) earlier this year for violating the terms of a consent decree it signed in 2011. At the time, the company agreed not to use a member's profile without the consent of the member. That agreement was violated in 2015-2016 when 87 million members had their Facebook profile information sold to Cambridge Analytica without permission.

Facebook has continued to have issues with leaked customer data and today another serious leak surfaced. TechCrunch reports that hundreds of millions of Facebook subscribers had their phone numbers listed in a database that was left exposed. The server contained records on 419 million people including 133 million Facebook users in the states, 18 million in the U.K. and over 50 million residing in Vietnam. Each record not only contained the user's phone number, but also included their Facebook ID. The latter is public knowledge, so that part of the leak by itself isn't bad. But the listing of members' phone numbers in combination with the leaked Facebook IDs can be used to identify the names belonging to the phone numbers. That type of detective work isn't required for the unfortunate Facebook members who had their names already listed in the database along with their gender and the country they live in.

The database was not protected by a password and the leaked phone numbers could have been used to make spam calls. Even worse, with a phone number that belongs to a wireless carrier, a bad actor could change the password and address of an unsuspecting victim's wireless account. That could allow the hacker to order some expensive phones, have them shipped to his address and leave the victim holding the bag. The leak was discovered by security researcher Sanyam Jain, who said that the database included the phone number of several celebrities.

Facebook, as you might imagine, played down the leak with a spokesperson stating that there is no evidence that Facebook accounts were compromised. The spokesperson did say that the information had been data scraped before Facebook last year eliminated access to members' phone numbers. Once TechCrunch spoke to the database's web host, the data was taken offline. It also was able to confirm the legitimacy of some of the leaked phone numbers.,

Even if this was an accidental data breach and more of a human error without malicious intent, it highlights a security problem at Facebook that the company can't seem to wrap its arms around. You might recall that last October 30 million Facebook members' email addresses and phone numbers were found to be accessible to others. Half of those affected also had other information leaked such as their religious affiliation, relationship status, search history, and address.

This past May, data containing the private information of 49 million Instagram members was left exposed on Amazon Web Service. Anyone who found the database could have had access to the data since it was not protected by a password. The exposed accounts included those owned by Instagram influencers, celebrities, and corporations. The data that was exposed included biographies, the number of followers for the account, profile pictures, location information (city and country), phone numbers and email addresses. Facebook acquired Instagram in 2012 for a reported $1 billion.