Cybersecurity researchers have discovered a server with no password, which contained over 267 million pieces of Facebook user data, including Facebook IDs, plus users' names and phone numbers.
The server is not owned by Facebook, and the researchers who discovered it believe the data was scraped unlawfully from Facebook by criminals in Vietnam, according to evidence discovered on the server.
Security researcher Bob Diachenko discovered the data, which was being stored on a server provided by Elasticsearch, a data search company. Diachenko then partnered with Comparitech, a cyber security research company, which has now written about the discovery.
This data leak is similar to an incident in September 2019 when 419 million records, including phone numbers and Facebook IDs, were exposed.
The company wrote in a blog post: "The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users."
Diachenko notified the internet service provider managing the IP address of the server as soon as he made his discovery on December 14. Five days later, on December 19, the server could no longer be accessed.
In all, the server contained 267,140,436 records belonging to Facebook users, most of which were from the US. Diachenko said all of the records appeared to be valid, and each set of records included a unique Facebook ID (each associated with a Facebook profile), plus a phone number, full name, and a timestamp.
It is thought the data may have been scraped from Facebook when the company still allowed its database of over a billion users to be searched by entering a phone number. Facebook switched this system off in 2018 after discovering it was being misused, but it is likely that criminals used it to gather up huge databases of Facebook users' names and numbers.
You can lock down your profile to protect from scraping Getty Images
In this instance, scraping refers to using an automated system to quickly search through large numbers of websites (like Facebook profile pages), grabbing useful information from them and filing it into a database. Scraping is against the terms and conditions of most social networks, including Facebook. But because most people leave their profile page, or at least some elements of it, publicly viewable, gathering up data is easy.
The data collected from Facebook here could be used to conduct SMS phishing scams, where criminals with access to the database could send text messages to the scraped phone numbers, posing as Facebook (or any other company) and asking the target for their password, or other sensitive information.
Comparitech also suggests the data may have been scraped more recently from publicly visible profile pages, and even floats Diachenko's theory of a flaw in Facebook's security. "Diachenko says Facebook's API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted [in 2018]," the site wrote.
Compartitech explains the dangers of a data breach like this: "A database this big is likely to be used for phishing and spam, particularly via SMS. Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, by skeptical of any unsolicited messages."
To reduce the visibility of your Facebook profile to criminals who build databases like this, follow these instructions:
- Open Facebook and go to the Settings page
- Click on Privacy
- Set all relevant fields to 'Friends' or 'Only Me'
- Locate the setting called 'Do you want search engines outside of Facebook to link to your profile' and change it to 'No'.