Millions of Facebook users’ phone numbers may still be exposed online
Data scraped from an exposed Facebook database containing user phone numbers and information that linked those phone numbers to names and other profile information has popped back up in a separate online repository, even after the initial database was mysteriously pulled offline, according to a report last night from CNET.
The initial, unprotected database contained more than 400 million records of Facebook users across the US, UK, and Vietnam. The exposure, reported first by TechCrunch earlier this week, is believed to have affected a total of around 200 million users.
Speaking with UK security researcher Elliott Murray, CNET reports that the current trove of phone number data appears to have been completely scraped from the earlier database. It’s unclear who owns either database, but Facebook confirmed the data was scraped from a server that stored it as part of a feature that let users look one another up by their phone numbers. Facebook has not said how the data was taken off Facebook servers and why it was available online without any form of security protection.
After TechCrunch and security researcher Sanyam Jain contacted the web host of the initial server on Wednesday, the owner took the database offline. “This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a Facebook spokesperson told TechCrunch at the time. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
However, it appears some other third party got its hands on the data before Facebook did and has copied at least some of it, if not all of it, onto a separate server. Murray tells CNET the data found in this new database is “almost certainly the same” as the information in the initial one. Murray did not disclose where or how he came across the new database.
CNET also contacted someone whose phone number was shown in the database to have once been linked to Facebook co-founder Chris Hughes, and the person, who declined to be named, said they obtained the phone number earlier this year and are often contacted mistakenly for people looking for Hughes.
Facebook did not response to a request for comment on whether this information was identical to the scraped data in the previous database, and how it plans to manage the takedown of this data now that it is no longer stored on one of its own servers.