An extensive database of Facebook user phone numbers found online – TechCrunch

Hundreds of millions of Facebook-related phone numbers accounts were found online.

The exposed server contained more than 419 million records spread across multiple databases of users across the globe, including 133 million records on Facebook users based in the United States, 18 million of them. User registrations in the UK and another with over 50 million user registrations in Vietnam.

But since the server was not protected by a password, everyone could find and access the database.

Each record contained a unique Facebook ID and the phone number on the account. The Facebook ID of a user is usually a long, unique and public number associated with his account, which can easily be used to identify the name of an account user.

However, phone numbers are no longer public for more than a year since Facebook restricted access to users' phone numbers.

TechCrunch has verified a number of records in the database by matching the phone number of a known Facebook user to their specified Facebook ID. We also checked other records by comparing phone numbers with Facebook's password reset feature, which can be used to partially reveal the phone number of a user associated with their account.

Some records also included the user's name, gender, and location by country.

This is the latest security failure involving Facebook's data after a series of incidents since the Cambridge Analytica scandal, which saw more than 80 million profiles destroyed to help identify voters during the crackdown. 2016 US presidential election.

Since then, the company has witnessed several high-profile scraping incidents, including Instagram, which recently admitted to collecting bulk profile data.

The latest incident revealed millions of users' phone numbers coming from only their Facebook credentials, exposing them to the risk of spam calls and SIM card swaps, prompting mobile operators to incite operators to give an attacker the phone number of a person. With another person's phone number, an attacker can force the password reset of any Internet account associated with that number.

Sanyam Jain, a security researcher and member of the GDI Foundation, found the database and contacted TechCrunch after being unable to find the owner. After a review of the data, we could not either. But after contacting the web host, the database was disconnected.

Jain said he found profiles with phone numbers associated with several celebrities.

Jay Nancarrow, spokesman for Facebook, said the data had been erased before Facebook cut off access to users' phone numbers.

"This dataset is old and seems to contain information obtained before we made any changes last year to prevent people from finding other people using their phone numbers." said the spokesman. "The dataset has been removed and we have not seen any evidence that Facebook accounts have been compromised."

But it remains to know who recovered the data, when they were extracted from Facebook and why.

Facebook has long limited developers 'access to users' phone numbers. The company has also made it more difficult to search for phone numbers of friends. But the data seemed to be loaded into the database exposed at the end of last month – although that does not necessarily mean that the data is new.

This latest data exposure is the most recent example of data stored online and publicly without a password. Although often linked to human error rather than malicious violation, data exposure is nevertheless an emerging security issue.

In recent months, financial giant First American has unveiled its data, as have MoviePass and the Democratic senators.

Do you have a tip? You can send tips safely via Signal and WhatsApp at +1 646-755-8849. You can also send an e-mail to PGP with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.