More than 267 million Facebook user names and phone numbers have been exposed in a database sitting on the web without any password protection…

If that sounds familiar, that’s because the same thing happened back in September, when more than 400 million records were exposed.

This time, it does at least appear that Facebook wasn’t the guilty party in this privacy breach, at least not directly, as Comparitech reports.

Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.

The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users.

Diachenko immediately notified the internet service provider managing the IP address of the server so that access could be removed. However, Diachenko says the data was also posted to a hacker forum as a download.

The Facebook user names database was online from at least December 4th to 18th.

The report says the criminals may have been able to access the data by exploiting a Facebook security hole, or it may have been done by simply scraping data from those who have their Facebook profile set to public.

How criminals obtained the user IDs and phone numbers isn’t entirely clear. One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018.

Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted.

Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.

“Scraping” is a term used to describe a process in which automated bots quickly sift through large numbers of web pages, copying data from each one into a database. It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot. Scraping is against Facebook’s–and most other social networks’–terms of service.

Many people have their Facebook profile visibility settings set to public, which makes scraping them trivial.

It’s worth checking that your own profile is set to Friends Only: in the iOS app, tap the hamburger menu bottom-right then Settings > Privacy > Privacy Settings > Check a few important settings.

Facebook does seem to keep hitting the headlines for the wrong reasons, most recently after it admitted to accessing user locations even when people have opted out.


FTC: We use income earning auto affiliate links. More.

Pocketalk translation device

Photo: Shutterstock

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear