Facebook's Latest Epic Security Fail Exposes 267 Million User Phone Numbers

Facebook can't seem to do anything right when it comes to privacy. Despite that fact, people continue to use the social network, and the latest privacy issue has exposed the phone numbers of 267 million users.

The phone numbers were in a database that included both phone numbers and Facebook user IDs. Security researcher Bob Diachenko along with Comparitech discovered the Elasticsearch database. They believe that the database belongs to a cybercriminal organization rather than Facebook. Diachenko went to the ISP managing the IP address to remove it. The database was left unsecured on the web for nearly two weeks before it was removed.

The team says that such an extensive database is likely being used for phishing and spam campaigns, particularly via SMS. The researchers warn that Facebook users should be on the lookout for suspicious text messages, even if the sender knows your name and basic information about you. Most of the data was from Facebook users in the U.S., according to the researchers.

As for where the database was collected, the exact source is a mystery. The researchers say that one possibility is that the data was stolen via the developer API that was used to access user-profiles and connected data before Facebook blocked access to it in 2018. Another possibility is a glitch in the Facebook API that allowed criminals to access user IDs and phone numbers even after it was restricted in 2018.

The data could have also been scraped from publicly visible profile pages. Researchers have warned Facebook users to set their profiles to private, rather than public to avoid scraping in the future. In recent Facebook news, the social network has refused government demands for a backdoor into secure communications.