TechCrunch is reporting Huge database of Facebook users’ phone numbers found online. Here’s the news brief (we’ve added the bold typeface for emphasis):
Hundreds of millions of phone numbers linked to Facebook accounts have been found online. The exposed server contained over 419 million records over several databases on users across geographies, including 133 million records on US-based Facebook users, 18 million records of users in the UK and another with more than 50 million records on users in Vietnam. But because the server wasn’t protected with a password, anyone could find and access the database.
Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username. But phone numbers have not been public in more than a year since Facebook restricted access to users’ phone numbers.
TechCrunch verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID. We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account. Some of the records also had the user’s name, gender, and location by country.
Hundreds of millions of Facebook users' phone numbers have been found in an unprotected online database. https://t.co/vxcP5KhGqq
— WRTV Indianapolis (@wrtv) September 5, 2019
What this really shows is that all too often large companies have little or no idea as to where all their critical information is. Over the years, it has been collected and stored in different locations, and while some people know about some of it, the people who should know, don’t. Without the understanding of what critical information is held and where the ability to protect it becomes impossible. This isn’t just about the organisation itself, but also the partners up and down the information supply chain which have access to or copies of the critical information.
Unfortunately, once data has begun to spread in a chaotic manner, it is very, very difficult to get it back under control. For Facebook, with billions of users, millions of systems and an entire ecosystem of third parties, this is what they are trying to get back under control – and evidently it is challenging!
Social media companies must know what data they collect – not just today, but in the past. Know where it is stored and how it has been stored in the past. Look at consolidating customer data into as few places as possible. For many organisations this happened with the introduction of PCI (Payment Card Industry) regulations and standards, however, it is not so for many other types of organisations – even with the enforcement of GDPR last year. Fully understanding the information is key to protecting it. Once ‘contained’, ensure that it is suitably secured and only the minimum number of people have access to it. Have a plan to dispose of it when the project is finished. All too often a project needs data, so a copy is created and used, e.g. for a marketing campaign, and then it is left languishing once the project has ended “just in case”.
On an individual user basis, whenever you are posting something to social media or onto the Internet in general, consider whether it is really, really, really required. Imagine that the information posted, whether it is your age or a photograph makes its way into the public domain, what would the consequence be? Does every site need your birthday? Ok, so you may get an email with an offer, but is that really worth it? In fact, in most cases, they don’t need to know your real birthday! While banks are used to handling and protecting your personal critical information, most other websites do not invest sufficiently to keep it all secure. So, think twice about posting personal information – the Internet never forgets.
Facebook Privacy, an oxymoron or the gift that keeps on giving? The latest exposure appears to be of old data, and comes after Facebook improved security by disallowing people to be searched using their phone numbers. It is likely, however, that more databases like this one could be discovered in the future and Facebook user-related information could continue to seep into the wild.
Data in general is much like water in how it flows, building like an inexorable wave. Privacy data is even more like water in how it can corrode trust and erode even the mightiest digital giant. In light of this latest revelation, Facebook users should be holding the company accountable about getting serious about privacy. I recommend Facebook make privacy a core value right now. Create a senior post to own privacy, staff it and back it. Then announce a 90 day survey and call in independent advisers and observers if they haven\’t already done so. Then publish a plan and put fixes in place to what’s broken at home and to simultaneously champion and promote privacy to chart a course for the industry.
The leak of 419 million Facebook records demonstrates the personal privacy risks of placing confidential information online – once your data is exposed, it’s out there, it’s ripe for use by cyber criminals, and you can’t get it back. In the virtual world your information can travel far wider than it might in the physical world, as it can be distributed and replicated so easily. That means that while Facebook may have changed its approach to publicising phone numbers, it doesn’t mean to say that your phone number is now safe.
The digital world and cyber security are constantly evolving and, as businesses become more security savvy, they must simultaneously ensure that legacy systems and processes are protected in the same way as new technologies. This is particularly important when enterprises go through digital transformation and begin to make significant infrastructure changes, for example in transitioning to cloud based systems. In the case of this latest leak, a server without a password containing such sensitive data isn’t acceptable.
This is not a technology issue but rather a process and procedure problem. Securing a server once it’s known to require maintenance and configuration is easily done, but visibility is key. Data such as phone numbers may require encryption if it can be cross referenced with personal identifiable information such as emails, names and addresses. The root cause of this issue is lack or procedure in relation to tracking digital assets and applying the appropriate security.
This is not the first data privacy scandal that has hit Facebook – but that should not detract from the scale of this breach. With 419 million phone numbers exposed, the volume of this data leak is huge.
The main data set that has been leaked contains phone numbers, and in some cases Facebook ID, user name, gender and location by country were also exposed. Although these details may not seem that sensitive on the surface, they actually provide cybercriminals with a head start for carrying out fraudulent activity and identity theft. With mobile phone numbers often being used for two factor authentication, there is a risk that hackers, with a little research, could attempt SIM-swap attacks and intercept one time passcodes to break into any number of personal accounts. Using an app for 2FA, like Google authenticator, is a good idea.
This data was leaked via an unsecured database server and it is unacceptable for companies to suffer data leaks in this way. Once again Facebook has let their users down.