Data of more than 267 million Facebook users containing their IDs, phones numbers, and names have been allegedly exposed online, as per a report from Comparitech and security researcher Bob Diachenko.
Diachenko says that the database is most likely the result of “an illegal scraping operation or Facebook API abuse by criminals in Vietnam.” The researcher believes that the information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end-users.
As per the report, the database was exposed for nearly two weeks. It was first indexed on December 4 and posted as a download on a hacker forum on December 12. The analyst discovered the database two days after and sent an abuse report to the ISP managing the IP address of the server after which it was removed on December 19.
Diachenko says that most of the affected users from 267,140,436 records were from the United States. It is unclear how criminals obtained the user IDs and phone numbers of the users but “one possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018,” the report says.
App developers use Facebook’s API to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Prior to 2018, phone numbers were available to third-party developers. According to Diachenko, Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted.
The report also says that another possibility is that the data was “scraped” from publicly visible profile pages. The terms a”scraping” refers to a process in which automated bots quickly sift through large numbers of web pages, copying data from each one into a database– which is against Facebook’s and most other social networks’ terms of service, the report adds.
A Facebook spokesperson told Engadget, “We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information.”
This is not the first time such a database has been exposed but it is much larger in scope. Facebook’s most famous data breach incident is related to Cambridge Analytica and how it harvested the Facebook user data by using an app that appeared to be an academic survey.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines