Personal data from 267 million Facebook users discovered in an unsecured database
Facebook users have been exposed again. Today, a report published on the Comparitech website says that 267 million Facebook members had their User IDs, names and phone numbers left unsecured on the internet where they were not protected by a password or any other form of authentication. Comparitech teamed up with security researcher Bob Diachenko who believes that the data could have come from an illegal scraping operation. Diachenko also discovered evidence that the data could have been the result of Facebook API abuse by criminals in Vietnam.
The researcher said that the information might have stolen from Facebook's developer API before access to phone numbers was restricted last year. Another possibility is that the API wasn't used at all and instead the data was scraped from profile pages that were unsecured. Scraping uses bots to run through webpages, collecting data that is then moved to a database. Facebook and other social media sites have issues with scraping because they often can't tell the difference between a bot gathering data and a legitimate subscriber doing so.
Facebook members can lessen the odds of having their data scraped by third-parties by going to Facebook and tapping on Settings > Privacy and setting all relevant fields to Friends or Only Me. Set "Do you want search engines outside of Facebook to link to your profile" to "No."
The report notes that unsecured data could have been used "to conduct large-scale SMS spam and phishing campaigns." A total of 267,140,436 records were left exposed with most of them showing personal information from valid U.S. Facebook users. Each record included a unique Facebook ID, the member's full name and phone number and a time stamp. As recently as September, another Facebook database was discovered that contained phone numbers and Facebook IDs for 419 million members.
Information found on the unsecured database
The ISP hosting the database was alerted instead of going first to the owner of the database because researcher Diachenko felt that it belonged to a criminal operation.
Things that are NOT allowed: