Until April 2018, Facebook users could search for each other using phone numbers or email addresses. However, in the wake of the Cambridge Analytica data abuse scandal – which saw the personal information of 87 million Facebook users mined – the social media giant scrapped that feature, restricting accessibility to user information.
Yet a security researcher has recently told TechCrunch that a database containing 419 million phone numbers linked to Facebook accounts was sitting on a server that was not password protected, just waiting for anyone to find it.
While the server does not belong to Facebook, the database reveals the unique Facebook ID linked to each of the phone numbers – in some cases the names, gender and locations are also listed.
Amongst the hundreds of millions of records exposed, 133 million belong to US users, 18 million are UK-based user records, and 50 million from Vietnam.
Not as bad as it sounds, says Facebook
TechCrunch was able to verify several records by matching a known user’s phone number to a Facebook user ID or by matching phone numbers with the social media site’s password reset feature.
While Facebook has been made aware of the security lapse and has since launched an investigation, a spokesperson for the company has said the database contains “information obtained before [Facebook] made changes last year to remove people’s ability to find others using their phone numbers”, and was “closer to half” the number TechCrunch reported due to duplicate records.
The spokesperson also said that the database has been taken down, confirming that there is “no evidence that Facebook accounts were compromised”.