267M Facebook User IDs, Phone Numbers And Names Exposed Online – Expert Commentary

A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication. Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. The open database, which has been pulled down, wasn’t protected by a password or any other safeguard for nearly two weeks. In fact, someone has already made the data available for download on a hacker forum.

Subscribe
Notify of
guest
10 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Erich Kron
Erich Kron , Security Awareness Advocate
InfoSec Expert
December 23, 2019 11:20 am

While on the surface a database of phone numbers does not seem like something to be concerned about, this type of information, all in one place, is a gold mine for scammers and cybercriminals. Attackers know that these numbers are mobile devices and that they can likely receive text messages. They also know these numbers are associated with a Facebook account and can craft attacks that seem legitimate using this information.

It is very difficult for people to defend against this sort of breach because many platforms ask for information, such as phone numbers, to use the platform. It\’s very unfortunate when these organizations fail to protect this data after collecting so much of it.

Last edited 2 years ago by Erich Kron
Jason Kent
Jason Kent , Hacker in Residence
InfoSec Expert
December 23, 2019 11:18 am

For years I yelled \”no Facebook, you cannot have my phone number\” every time it asked. Not because I didn\’t want my account more secure but, rather, I figured some day that database would get dumped. The rich personal information everyone shares on Facebook, coupled with a simple way to get access to speak to you, is a tremendous feeder source for scams.

The fact that this was discovered by a third party and the database they were stored on was inadvertently found, makes me wonder how many copies of this data exist and it makes me ask, what else has been stolen and haven\’t heard about yet?
Facebook wants to keep your data secure and private, this is another reminder that Application Security is hard, the bad guys only have to win once to have a big impact.

Last edited 2 years ago by Jason Kent
Stuart Reed
Stuart Reed , UK Director
InfoSec Expert
December 23, 2019 11:17 am

The 267 million Facebook users who had their names and personal phone numbers exposed to potential hackers are at high risk for a variety of targeted spam messages, phishing attacks or other scam attempts. With this information, hackers are given a direct line of access to these users – and that can enable criminals to more effectively target these users and gain further private information that can be utilized by bad actors. Given the length of time that this information was publicly available, the likelihood of these attacks is especially high.

All organizations have an obligation to protect any sensitive information related to their customers or user base, both in their core practices and through any third parties or services they may utilize–Facebook is certainly no different. To prevent future breaches, organizations must take a multi-pronged approach to their security measures, ensuring that their network security is continually tested against new and emerging threats. By placing an emphasis on network detection and response, organizations are better positioned to recover from – and ultimately more quickly prevent – attacks on their customers.

Last edited 2 years ago by Stuart Reed
Jonathan Devaux
Jonathan Devaux , Head of Enterprise Data Protection
InfoSec Expert
December 23, 2019 11:14 am

It seems FB is in the news every month with a cybersecurity issue. The term “too big to fail” may not apply to Facebook, but they do seem to be failing at data security, left and right. Even though the California Consumer Privacy Act (CCPA) is not finalized, when it does become enforceable in early 2020, it is possible that Facebook users (and ex-users) will exercise their Rights under CCPA, which could force FB to take a more serious approach to improve their security posture.

Last edited 2 years ago by Jonathan Devaux
Irfahn Khimji
Irfahn Khimji , Tripwire Inc
InfoSec Expert
December 23, 2019 11:08 am

It is important for anyone using the internet to remember that anything posted online, once posted, can potentially be seen by anyone. As we have seen in recent data breaches everything from phone numbers to health records have been made public. Practicing due care and ensuring that only information one is comfortable with being made public should be freely posted on social media sites.

Last edited 2 years ago by Irfahn Khimji
10
0
Would love your thoughts, please comment.x
()
x