Facebook is staring down yet another security blunder, this time with an incident involving an exposed server containing hundreds of millions of phone numbers that were previously associated with accounts on its platform.
The situation appears to be pinned to a feature no longer enabled on the platform but allowed users to search for someone based on their phone number. TechCrunch’s Zack Whittaker first reported Wednesday that a server—which did not belong to Facebook but was evidently not password protected and therefore accessible to anyone who could find it—was discovered online by security researcher Sanyam Jain and found to contain records on more than 419 million Facebook users, including 133 million records on users based in the U.S.
(A Facebook spokesperson disputed the 419 million figure in a call with Gizmodo, claiming the server contained “closer to half” of that number, but declined to provide a specific figure.)
According to TechCrunch, records contained on the server included a Facebook user’s phone number and individual Facebook ID. Using both, TechCrunch said it was able to cross-check them to verify records and additionally found that in some cases, records included a user’s country, name, and gender. The report stated that it’s unclear who scraped the data from Facebook or why. The Facebook spokesperson said that the company became aware of the situation a few days ago but would not specify an exact date.
Whittaker noted that having access to a user’s phone number could allow a bad actor to force-reset accounts linked to that number, and could further expose them to intrusions like spam calls or other abuse. But it could also allow a bad actor to pull up a host of private information on a person by inputting it into any number of public databases or with some legwork or by impersonation grant a hacker access to apps or even a bank account.
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said in a statement by email. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”
Facebook announced in a blog post by CTO Mike Schroepfer in April 2018 that it was axing the ability for users to search for each other using phone numbers or email addresses after it discovered that “malicious actors” were abusing the function to scrape publicly available information. Schroepfer wrote at the time that due to the “scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.” Still, while the company initially disclosed the likelihood of such an event last year, it doesn’t make this week’s news any less troubling.
Another day, another spectacular security fuckup by a company that has a knack for this kind of thing. The news comes hot on the heels of Senator Ron Wyden telling an interviewer that he believes lawmakers should ensure that Facebook CEO Mark Zuckerberg faces “the possibility of a prison term” for his company’s abuses of user data. While that sounds like a pipe dream, the possibility of it becoming a reality gets stronger by the day.