Phone Numbers for 419 Million Facebook Users Were Left Unprotected

The social network says the now-offline database was old

Each record contained the person’s unique Facebook ID and the phone number listed on the account fizkes/iStock

Facebook suffered another security lapse, this time involving hundreds of millions of users’ phone numbers.

Security researcher Sanyam Jain, a member of nonprofit internet safety organization GDI.Foundation, discovered an online server, which has since gone offline, containing several databases with more than 419 million phone numbers.

Zack Whittaker of TechCrunch reported that the server was not password-protected, so the data was accessible by anyone.

Jain was unsuccessful in finding the owner of the server, and Whittaker reported that after TechCrunch contacted the host, the information went offline.

Facebook eliminated public access to users’ phone numbers in April 2018, with chief technology officer Mike Schroepfer writing in a Newsroom post at the time, “Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages where it takes more effort to type out a full name, or where many people have the same name. In Bangladesh, for example, this feature makes up 7% of all searches. However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So, we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping, as well.”

A Facebook spokesperson said of Jain’s discovery, “This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The dataset has been taken down, and we have seen no evidence that Facebook accounts were compromised.”

Whittaker reported that the data contained records on 133 million people based in the U.S., 18 million in the U.K. and over 50 million in Vietnam, with each record containing the person’s unique Facebook ID and the phone number listed on the account.

And Jain told Whittaker he discovered phone numbers for several celebrities before the server went offline. David Cohen is editor of Adweek's Social Pro Daily.