More than 267 million Facebook users’ personal information was left exposed in an unsecured database on the dark web, according to a report from Britain-based cybersecurity firm Comparitech and security researcher Bob Diachenko.
The database, which was spotted by Diachenko, was openly accessible by anyone without a password or any form of authentication, said Comparitech.
It comprised full names, phone numbers and user IDs of 267,140,436 Facebook users, mostly residing in the U.S., which could be used to conduct large-scale SMS spam and phishing campaigns.
According to Diachenko, the data was gathered as part of Facebook API abuse by criminals in Vietnam or an illegal data scraping operation. ‘Scraping’ is a term used to describe a process that involves automated bots combing through several web pages and copying data as they go along.
While it is unclear how the information had been obtained by the criminals but “one possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018,” the report says.
On knowing about the data leak, Diachenko immediately notified the internet service provider (ISP) hosting the database so that access to the IP address could be removed.
However, Diachenko said that the database was available online for almost two weeks before it was removed. Besides this, it was also posted as a download on a hacker forum.
Responding to the incident, Facebook said in a statement that they are looking into the breach.
“We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” a Facebook spokesperson said.
As of Thursday, the database was no longer available online but it doesn’t necessarily mean that the exposed data wasn’t copied elsewhere before it was taken down.
Therefore, it is recommended that Facebook users change their privacy settings to “Friends and also set the “Do you want search engines outside of Facebook to link to your profile?” setting to “No.”
Additionally, Facebook users should also be wary of any suspicious text messages or emails asking for their password or other sensitive information.
This is not the first time that Facebook has suffered a data breach. In September this year, a security researcher found a similar exposed online database that contained over 419 million records connected to Facebook accounts. The data also included Facebook IDs and in some cases names, genders, and countries.