Facebook’s latest privacy lapse has exposed over 400 million user records on a server that wasn’t protected with a password. TechCrunch reports today that each record contained a user’s Facebook ID and the phone number linked to their account.
Ecobee HomeKit Thermostat
The server included records across several databases, including 133 million records for US Facebook users, as well as records for 18 million UK users and over 50 million users in Vietnam.
Each record included a user’s Facebook ID, which TechCrunch describes as a “long, unique, and public number associated” with Facebook accounts. That ID can then be used to figure out an account’s username. Each record also contained a user’s phone number, and in some instances name, gender, and location by country.
TechCrunch verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID. We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account.
Most notably, phone numbers have not been public on Facebook in more than a year after the company changed its policy. This is what makes it so notable that over 400 million records with phone numbers were left unprotected.
In a statement, a Facebook spokesperson said the dataset is “old” and has information from before the company’s policy change related to phone numbers:
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”
Facebook has had a rough history with user phone numbers. Over the last year, the company has faced a pair of controversies over how it used phone numbers users had provided for two-factor authentication purposes.