What just happened? It appears that Facebook’s decision to give app developers too much access to users’ personal information is backfiring again. A new report has revealed that user names and phone numbers of over 267 million US user accounts have been scraped by malicious actors and uploaded to a hacker forum.
According to a report from Comparitech, around 267 million Facebook user names and phone numbers were left exposed on a web server with not even a password to prevent unauthorized access. This isn’t the first time this has happened. In September, a researcher found the personal information of over 400 million Facebook accounts from all over the world stored on an unsecured web server. Luckily, that dataset turned out to be old and there’s no evidence that it was used to compromise any accounts.
Comparitech along with security researcher Bob Diachenko uncovered the new treasure trove for data thieves, which was stored on an Elasticsearch cluster. Diachenko suspects it was obtained through an illegal scraping operation in Vietnam that abused a Facebook API.
The resulting dataset could be used in SMS spam and phishing campaigns, and it was online between December 4 and December 18. It appears that most of the user IDs, phone numbers, and names belong to US Facebook accounts, and were allegedly shared on a hacker forum.
A Facebook spokesperson said the company is investigating the report, and reiterated that this may be another old dataset from 2018 when developers were able to access too much information from publicly visible profile pages. The company restricted access after the Cambridge Analytica scandal.
One way to protect yourself is to make sure that only friends have access to your profile picture, your details, and what you post on your wall. Also, make sure the option “Do you want search engines outside of Facebook to link to your profile” is set to “no” as this is one of the things that facilitated the Elasticsearch scraping.
In related news, Facebook hard disks containing payroll information were stolen earlier this month during a car robbery. No Facebook user data was compromised, but it prompted the company to tighten its security policies.