Facebook’s Security Incompetence Exposes Over 400 Million Personal Phone Numbers
Security researcher Sanyam Jain was the first to find the exposed server. The server was not owned by Facebook, but still contained users’ Facebook IDs and phone numbers. A Facebook ID is a public number that is associated with an account. The number often contains portions of a person’s Facebook name and it is not difficult to determine the owner of the ID number. The server also contained information about some users’ gender and location by country.
The server was not password protected and could have been easily accessed by anyone before the web host shut it down. At the moment no one knows who owned the database. Facebook used to allow users to search for others by phone number, but this feature was removed in April 2018 after the Cambridge Analytica scandal. It is believed that the data on this server was collected before this feature was shut down.
Facebook spokesperson Jay Nancarrow remarked, “This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.” Nancarrow also insisted that some of the numbers were duplicates and that only 200 million users may have been impacted by the server.
Although there is no evidence of foul play, many are concerned about the implications of Facebook's repeated security missteps. Phone numbers are frequently used in two factor authentication (2FA) and other cybersecurity measures. An attacker could have potentially used the phone numbers to reset the passwords of a wide variety of online accounts. The attackers could have also used the numbers to try to convince cell carriers to switch the numbers to their own SIM card. Victims may have also been potentially subjected to spam calls and harassment.
Facebook is already potentially staring down a $5 billion FTC fine due to privacy violations. The social media giant is going to need to clean up its security act if it wants to keep users and avoid further legal entanglements.