fbpx

Phone numbers for as many as 419 million Facebook users were reportedly found sitting online in a file where anybody could have found them

Phone numbers linked to as many as 419 million Facebook accounts were recently found on an online server that was not protected by a password, according to a TechCrunch report on Wednesday.

Facebook told Business Insider that there was no evidence that any users had their accounts compromised and that the number of affected users was likely around half of what TechCrunch reported, as its team analyzed the data set and found duplicate records. Facebook would not put an exact number to the users it estimated to be affected by the exposure, but half of the reported number would be around 200 million users.

The database was brought to TechCrunch’s attention by a security researcher, who discovered the information sitting in plaintext – meaning it wasn’t encrypted at all. This information appears to have been gathered by a third party, who left it exposed to the internet. The database was taken offline after the web host was contacted, TechCrunch said.

The information in question, according to the report, included users’ Facebook IDs – which are strings of numbers used by the company to uniquely identify an account – and the associated phone number for each account. Some records are said to have included the user’s name, gender, and country in which they resided.

TechCrunch reported that 133 million of the 419 million records discovered on the server were associated with American users.

The issue, a Facebook spokesperson told Business Insider on Wednesday, stemmed from a feature, which has since been shut down, that allowed users to search for friends by their phone numbers. Facebook said malicious actors were able to use this feature to scrape information, including phone numbers, from users’ accounts.

Facebook shut down the ability to search for friends by phone number in April 2018.

“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a Facebook spokesperson told Business Insider. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised. The underlying issue was addressed as part of a Newsroom post on April 4th 2018 by Facebook’s Chief Technology Officer.”

The finding is the latest example of data-protection issues surrounding the social-networking giant. Just last month, Business Insider’s Rob Price reported that Facebook was launching a review of hundreds marketing and advertising firms amid indications of widespread misuse of Instagram user data, including data scraping of users’ public data without their consent.

Source: BusinessInsider