Experts Dots On Massive Database Of Facebook Users’ FB IDs And Phone Numbers Found Online – On An Unprotected Server

TechCrunch is reporting Huge database of Facebook users’ phone numbers found online. Here’s the news brief (we’ve added the bold typeface for emphasis):

Hundreds of millions of phone numbers linked to Facebook  accounts have been found online. The exposed server contained over 419 million records over several databases on users across geographies, including 133 million records on US-based Facebook users, 18 million records of users in the UK and another with more than 50 million records on users in Vietnam. But because the server wasn’t protected with a password, anyone could find and access the database.

Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username. But phone numbers have not been public in more than a year since Facebook restricted access to users’ phone numbers.

TechCrunch verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID. We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account. Some of the records also had the user’s name, gender, and location by country.

Notify of
12 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Erich Kron
Erich Kron , Security Awareness Advocate
InfoSec Expert
September 5, 2019 12:52 pm

This is an unfortunate situation where, although the issue that led to a previous data breach was fixed, the impact of the issue has continued to cause serious problems.

The data involved here can be very valuable to attackers, as it contains individuals\’ unique Facebook ID and phone number. Because people often share very personal information on social media platforms, scammers can use the breach data to gain a wealth of information about the person and use that for scams. Children\’s names, online friends and family, political and religious beliefs and other sensitive information is a gold mine for scammers, and now it\’s tied to a phone number.

It is important for people to regularly check websites, such as Have I Been Pwned (, to see if they are the victim of a data breach already. While this will not undo the damage the breach has already done, it can help people be aware that what they thought was private information, such as a phone number, may not be anymore. In addition, people should be careful when they allow applications or websites to access sensitive information, such as phone numbers, and avoid giving up that information unless it is really necessary.

Last edited 2 years ago by Erich Kron
Jonathan Bensen
InfoSec Expert
September 5, 2019 12:54 pm

This exposure is the latest in a string of security and privacy incidents involving Facebook. Armed with phone numbers, a threat actor can hijack accounts associated with that number by having password reset codes sent to the compromised phone as well as attempt to trick automated systems from victims’ banks, healthcare organizations, and other institutions with sensitive data into thinking the attacker is the victim. Exposed individuals even put their employers at risk; attackers can leverage stolen numbers to obtain unauthorized access to work email and potentially expose more data.

Misconfigurations have been the reason behind several data leaks this year including incidents affecting Orvibo, Tech Data and ApexSMS. Companies are tasked with the hefty burden of continuously monitoring all assets across hundreds of attack vectors to detect vulnerabilities. Through this process, companies are likely to detect thousands of flaws in their network – far too many to tackle all at once. The key to thwarting future instances of data exposure is to leverage security tools that employ AI and ML to observe and analyze the entire network in real time and derive insights in order to prioritize the vulnerabilities that need to be fixed.

Last edited 2 years ago by Jonathan Bensen
Paul Bischoff
Paul Bischoff , Privacy Advocate
InfoSec Expert
September 5, 2019 12:58 pm

The exposure of this database puts millions of Facebook users at risk of spam, harassment, and SIM swap fraud. The lattermost could allow an attacker to hijack a user\’s account by bypassing two-factor authentication. By moving an existing phone number to a new SIM card, an attacker will receive the PIN number sent to the user\’s phone via SMS when logging in.

Last edited 2 years ago by Paul Bischoff
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
September 5, 2019 1:01 pm

While simjacking attacks are currently on the increase, this latest breach should in no way be shrugged off and overlooked. Having phone numbers leaked is a huge deal and when linked to an online account, the repercussions could potentially be catastrophic.

Whether Facebook users were caught up in this breach or not, they should seriously consider using an authenticator app, rather than their phone number and an SMS to verify their account. Authenticator apps are free and far more secure when wanting to protect an account. And whilst they are at it, they should also consider changing all of their accounts, where possible, to app-based authenticators or a hardware security key form of verifying. These encrypt a one-time code sent over the network and stop any prying eyes from easily stealing your profile or even identity.

Last edited 2 years ago by Jake Moore
Dmitry Kurbatov
InfoSec Expert
September 5, 2019 1:05 pm

This attack should serve to remind us that even the largest companies companies can fail to secure data. Companies and consumers are very quick in the creation and adoption of new technologies and services but often they fail to protect themselves from the most basic attacks.

In terms of the damage that could be done – the more a hacker knows about you the more powerful he is. For instance, if he has information like name, surname, phone number, birth date, id number – this would probably be enough impersonate you to your mobile carrier. Then he can ask to setup call and SMS forwarding, or to swap the sim. Essentially from there the number is hijacked.

This particular data leak is huge in volume (419 million), but the information in each user record is not that detailed – facebook id, gender and phone number. Nonetheless this data could be useful to supplement another leaked database missing these pieces of information. The risk here is that many services, including banks, use phone numbers as a way to authenticate users. If the number is hijacked, they can bypass this protection and potentially break into accounts. We saw this happen to Twitter CEO Jack Dorsey’s Twitter account just last week.

Last edited 2 years ago by Dmitry Kurbatov
Eyal Wachsman
InfoSec Expert
September 6, 2019 1:02 pm

Even though this data is a year old, as Facebook representatives claim, it is still of value and users are at risk. As mentioned, the owner of the server has not been found and few causes could have led to such a server be left exposed online. Whether the server was used by Facebook employees for operational aspects such as testing, or a rogue insider trying to exfiltrate the data out, personal identifiable information managed by Facebook was sent out of the company’s network and left exposed on the internet. This reflects badly on the way Facebook manages the access to its data and the way that it is transferred. Following Facebook’s steam privacy scandals, you would think deploying strict user access policies to data and assets would be one of the first measures they would implement, alongside data leakage prevention solutions to monitor and prevent form such incidents to happen again.

Last edited 2 years ago by Eyal Wachsman
Tim Mackey
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
InfoSec Expert
September 6, 2019 1:04 pm

It’s important to recognise that the owner of this database was not identified, which means that answering how information relating to Facebook accounts was collected isn’t immediately available. It’s also important to recognise that upon learning of the exposed data, the company hosting the data removed access. These realities are of course only marginally comforting to those seeking to limit the personal damage associated with any data breach. We know that malicious actors attempt to use any available data to build ever more complex methods to target the public. Defending against such attacks isn’t always easy, but starts with recognising that companies like Facebook won’t directly call their users, nor is it likely that a company you’ve not done business with will call you indicating any prior relationship with activity on Facebook. Similarly, knowing a user’s Facebook ID is only potentially useful when attempting to login as that user. Protecting against such an attack can be done by both changing your password and reviewing which applications you’ve granted access to your Facebook profile via access tokens.

Last edited 2 years ago by Tim Mackey
Richard Walters
InfoSec Expert
September 6, 2019 1:15 pm

This is not the first data privacy scandal that has hit Facebook – but that should not detract from the scale of this breach. With 419 million phone numbers exposed, the volume of this data leak is huge.

The main data set that has been leaked contains phone numbers, and in some cases Facebook ID, user name, gender and location by country were also exposed. Although these details may not seem that sensitive on the surface, they actually provide cybercriminals with a head start for carrying out fraudulent activity and identity theft. With mobile phone numbers often being used for two factor authentication, there is a risk that hackers, with a little research, could attempt SIM-swap attacks and intercept one time passcodes to break into any number of personal accounts. Using an app for 2FA, like Google authenticator, is a good idea.

This data was leaked via an unsecured database server and it is unacceptable for companies to suffer data leaks in this way. Once again Facebook has let their users down.

Last edited 2 years ago by Richard Walters
Eoin Keary
Eoin Keary , CEO and Cofounder
InfoSec Expert
September 6, 2019 1:17 pm

This is not a technology issue but rather a process and procedure problem. Securing a server once it’s known to require maintenance and configuration is easily done, but visibility is key. Data such as phone numbers may require encryption if it can be cross referenced with personal identifiable information such as emails, names and addresses. The root cause of this issue is lack or procedure in relation to tracking digital assets and applying the appropriate security.

Last edited 2 years ago by Eoin Keary
Stuart Reed
Stuart Reed , UK Director
InfoSec Expert
September 6, 2019 1:20 pm

The leak of 419 million Facebook records demonstrates the personal privacy risks of placing confidential information online – once your data is exposed, it’s out there, it’s ripe for use by cyber criminals, and you can’t get it back. In the virtual world your information can travel far wider than it might in the physical world, as it can be distributed and replicated so easily. That means that while Facebook may have changed its approach to publicising phone numbers, it doesn’t mean to say that your phone number is now safe.

The digital world and cyber security are constantly evolving and, as businesses become more security savvy, they must simultaneously ensure that legacy systems and processes are protected in the same way as new technologies. This is particularly important when enterprises go through digital transformation and begin to make significant infrastructure changes, for example in transitioning to cloud based systems. In the case of this latest leak, a server without a password containing such sensitive data isn’t acceptable.

Last edited 2 years ago by Stuart Reed
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
September 6, 2019 1:22 pm

Facebook Privacy, an oxymoron or the gift that keeps on giving? The latest exposure appears to be of old data, and comes after Facebook improved security by disallowing people to be searched using their phone numbers. It is likely, however, that more databases like this one could be discovered in the future and Facebook user-related information could continue to seep into the wild.

Data in general is much like water in how it flows, building like an inexorable wave. Privacy data is even more like water in how it can corrode trust and erode even the mightiest digital giant. In light of this latest revelation, Facebook users should be holding the company accountable about getting serious about privacy. I recommend Facebook make privacy a core value right now. Create a senior post to own privacy, staff it and back it. Then announce a 90 day survey and call in independent advisers and observers if they haven\’t already done so. Then publish a plan and put fixes in place to what’s broken at home and to simultaneously champion and promote privacy to chart a course for the industry.

Last edited 2 years ago by Sam Curry
Dr Guy Bunker
InfoSec Expert
September 16, 2019 3:01 pm

What this really shows is that all too often large companies have little or no idea as to where all their critical information is. Over the years, it has been collected and stored in different locations, and while some people know about some of it, the people who should know, don’t. Without the understanding of what critical information is held and where the ability to protect it becomes impossible. This isn’t just about the organisation itself, but also the partners up and down the information supply chain which have access to or copies of the critical information.

Unfortunately, once data has begun to spread in a chaotic manner, it is very, very difficult to get it back under control. For Facebook, with billions of users, millions of systems and an entire ecosystem of third parties, this is what they are trying to get back under control – and evidently it is challenging!

Social media companies must know what data they collect – not just today, but in the past. Know where it is stored and how it has been stored in the past. Look at consolidating customer data into as few places as possible. For many organisations this happened with the introduction of PCI (Payment Card Industry) regulations and standards, however, it is not so for many other types of organisations – even with the enforcement of GDPR last year. Fully understanding the information is key to protecting it. Once ‘contained’, ensure that it is suitably secured and only the minimum number of people have access to it. Have a plan to dispose of it when the project is finished. All too often a project needs data, so a copy is created and used, e.g. for a marketing campaign, and then it is left languishing once the project has ended “just in case”.

On an individual user basis, whenever you are posting something to social media or onto the Internet in general, consider whether it is really, really, really required. Imagine that the information posted, whether it is your age or a photograph makes its way into the public domain, what would the consequence be? Does every site need your birthday? Ok, so you may get an email with an offer, but is that really worth it? In fact, in most cases, they don’t need to know your real birthday! While banks are used to handling and protecting your personal critical information, most other websites do not invest sufficiently to keep it all secure. So, think twice about posting personal information – the Internet never forgets.

Last edited 2 years ago by Dr Guy Bunker
Information Security Buzz
Would love your thoughts, please comment.x