A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication. Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. The open database, which has been pulled down, wasn’t protected by a password or any other safeguard for nearly two weeks. In fact, someone has already made the data available for download on a hacker forum.
Names and phone numbers of more than 267 million Facebook users is exposed https://t.co/KeW9QvA578 pic.twitter.com/hI7sLuBZb9
— AFP News Agency (@AFP) December 20, 2019
While on the surface a database of phone numbers does not seem like something to be concerned about, this type of information, all in one place, is a gold mine for scammers and cybercriminals. Attackers know that these numbers are mobile devices and that they can likely receive text messages. They also know these numbers are associated with a Facebook account and can craft attacks that seem legitimate using this information.
It is very difficult for people to defend against this sort of breach because many platforms ask for information, such as phone numbers, to use the platform. It\’s very unfortunate when these organizations fail to protect this data after collecting so much of it.
For years I yelled \”no Facebook, you cannot have my phone number\” every time it asked. Not because I didn\’t want my account more secure but, rather, I figured some day that database would get dumped. The rich personal information everyone shares on Facebook, coupled with a simple way to get access to speak to you, is a tremendous feeder source for scams.
The fact that this was discovered by a third party and the database they were stored on was inadvertently found, makes me wonder how many copies of this data exist and it makes me ask, what else has been stolen and haven\’t heard about yet?
Facebook wants to keep your data secure and private, this is another reminder that Application Security is hard, the bad guys only have to win once to have a big impact.
The 267 million Facebook users who had their names and personal phone numbers exposed to potential hackers are at high risk for a variety of targeted spam messages, phishing attacks or other scam attempts. With this information, hackers are given a direct line of access to these users – and that can enable criminals to more effectively target these users and gain further private information that can be utilized by bad actors. Given the length of time that this information was publicly available, the likelihood of these attacks is especially high.
All organizations have an obligation to protect any sensitive information related to their customers or user base, both in their core practices and through any third parties or services they may utilize–Facebook is certainly no different. To prevent future breaches, organizations must take a multi-pronged approach to their security measures, ensuring that their network security is continually tested against new and emerging threats. By placing an emphasis on network detection and response, organizations are better positioned to recover from – and ultimately more quickly prevent – attacks on their customers.
It seems FB is in the news every month with a cybersecurity issue. The term “too big to fail” may not apply to Facebook, but they do seem to be failing at data security, left and right. Even though the California Consumer Privacy Act (CCPA) is not finalized, when it does become enforceable in early 2020, it is possible that Facebook users (and ex-users) will exercise their Rights under CCPA, which could force FB to take a more serious approach to improve their security posture.
It is important for anyone using the internet to remember that anything posted online, once posted, can potentially be seen by anyone. As we have seen in recent data breaches everything from phone numbers to health records have been made public. Practicing due care and ensuring that only information one is comfortable with being made public should be freely posted on social media sites.