A database containing personal details of more than 267 million Facebook users was allegedly left exposed on the web, according to a report from Britain-based tech research firm Comparitech and security researcher Bob Diachenko.
Diachenko believes the trove of data — including Facebook user IDs, phone numbers and names — is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam.
“Scraping” is a term used to describe a process in which automated bots quickly sift through large numbers of web pages, copying data from each one into a database.
The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users, said the report on Thursday, adding that most of the affected users were from the US.
Facebook is reportedly investigating the issue.
“We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” a Facebook spokesperson told Engadget.
The revelations come at a time when Facebook is trying to regain the trust of its users with protection of their data following the Cambridge Analytica scandal that badly hit its reputation.
More than one and a half years after the Cambridge Analytica scandal first became public, the US Federal Trade Commission (FTC) earlier this month said that the now-defunct British data analytics and consulting company engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting.
After discovering that personal details of 267 million Facebook users were exposed online, Diachenko notified the Internet service provider managing the IP address of the server so that access could be removed.
However, the data was also posted to a hacker forum as a download, said the security researcher.
Facebook IDs are unique, public numbers associated with specific accounts, which can be used to discern an account’s username and other profile info.
While how criminals obtained the user IDs and phone numbers is not entirely clear, one possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018.
Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos and event data. Phone numbers were available to third-party developers prior to 2018.
Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted, Diachenko said.