The telephone numbers of as many as 419 million Facebook users have been exposed, it was discovered earlier this week and made public yesterday (September 4, 2019). The word on the street is that the data itself is apparently from before Facebook had made changes to both their security and data access policies (we have reason to question that, read on), however the data set was loaded into an unprotected database within the past few weeks.
The composition of the data, which contained phone numbers and account information of Facebook users around the world, includes 133 million records of Facebook users in the United States, 50 million users in Vietnam, and 18 million Facebook users in the United Kingdom. As the UK is still part of the EU at the time of this writing, this also means there has been a gross violation of the General Data Protection Regulation (GDPR).
You see, it used to be that you could look up somebody on Facebook by their telephone number. That changed last year, after the Cambridge Analytica fiasco. Starting in around April of 2018, you could not longer just plug in a telephone number on Facebook and find the person (account) associated with it.
Whether the database of 400+million telephone numbers, each associated with a Facebook account, is from before the change (i.e. from before April of 2018) or after the change (post April 2018) has not been confirmed, although Facebook claims that it is from before. It’s also not known whether Facebook claims to have deleted all of those telephone numbers after April of last year, or whether they are still hanging on to them (we’d bet that they are). Not that it necessarily matters – what does matter is that there was a database of more than 400million Facebook accounts with associated telephone numbers out there, exposed for anyone knowing where it was to see.
It has been taken down now from where it was found, thanks to security researcher Sanyam Jain, who discovered the wide-open database sitting on a third-party (not related to Facebook) server, and to TechCrunch, whom Jain contacted after being unable to find someone responsible for the database. Once having been contacted, the host on whose server it was found took it down.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
But how many scammers and other malactors grabbed that database before it was discovered? It was put up a few weeks ago*, and the odds that nobody accessed it between the time it was put up and the time it was discovered by Jain, well, we don’t like those odds.
(*As we discuss below, one of the mysteries that remains is how the records have an update date of August 28th, 2019 if it was put up a few weeks ago, let alone scraped before that.)
According to Facebook’s Jay Nancarrow, “This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
That seems a particularly weak, non-informitave statement, even for Facebook. We’d hazard a guess that the vast majority of Facebook users haven’t changed their telephone numbers since April of last year (have you?), which makes those telephone numbers fresh, not “old”.
The thing that is not yet known, and that may never be known, is what else was done with that database. You can be fairly sure that there are other copies of it.
Of course, there are massive databases out there of telephone numbers, not to mention all of the computer generated call lists of every number out there. However, and this is one of the main points, they don’t have Facebook account IDs, and other personal information, attached to them.
As this screenshot from Techcrunch shows, the database includes the fields phone, uid (for user id), birthday, country, gender, hometown, location, name, status, and update date.
Examples of Telephone Numbers of UK Facebook Users from fb.users_uk Portion of Database Exposed in Breach
Now, granted these particular samples don’t have many of the fields filled in (we suspect that is why Techcrunch chose this sample), but of course lots of people give much more of that information to Facebook.
We also find it very interesting to note that the update date on these two sample records is August 28th, 2019. This seems to fly in the face of Facebook saying it is old data, and rather suggests that it is very fresh data.
Now, of course, we will probably never know all of the facts. But what we do know is that more than 400 million telephone numbers are floating around, tied to Facebook account IDs, names, and more.
And the big deal about that is that it allows bad guys to spoof your telephone number, and to know enough information about you to trick others into believing that they are communicating with you. This includes not only friends and colleagues, but potentially your financial institutions, and other places with which you have accounts.
Unfortunately, there isn’t a whole lot you can do about this, other than being very vigilant about monitoring all of your accounts, unless you want to get a different telephone number, in which case you would have to change your number everywhere (except, we suggest, Facebook).
If you see or experience anything strange that you think could be tied to this, let us know!