More than 267 million Facebook users allegedly had their user IDs, phone numbers and names exposed online, according to a report from Comparitech and security researcher Bob Diachenko.
Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.
The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users.
Diachenko notified the internet service provider managing the IP address of the server so that access could be removed. However, Diachenko says the data was also posted to a hacker forum as a download.
In total 267,140,436 records were exposed. Most of the affected users were from the United States. Diachenko says all of them seem to be valid. Each contained a unique Facebook ID; a phone number; a full name; and a timestamp.
Facebook IDs are unique, public numbers associated with specific accounts, which can be used to discern an account’s username and other profile info.
How criminals obtained the user IDs and phone numbers isn’t entirely clear. One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018.
Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted.
Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.
This isn’t the first time such a database has been exposed. In September 2019, 419 million records across several databases were exposed. These also included phone numbers and Facebook IDs.
A database this big is likely to be used for phishing and spam, particularly via SMS.