A database containing more than 267 million Facebook user IDs, phone numbers and names was left exposed on the web for anyone to access. 

According to Comparitech, Bob Diachenko, security researcher, uncovered the Elasticsearch cluster and believes the trove of data is the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence. The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users, says the news report. 

Diachenko notified the internet service provider managing the IP address of the server so that access could be removed, but the database remained opened two weeks after it was discovered. Diachenko says the data was also posted to a hacker forum as a download.

In total, 267,140,436 records were exposed. Most of the affected users were from the United States, says the report. Diachenko says all of them seem to be valid, and each record contained:

  • A unique Facebook ID, which are unique, public numbers associated with specific accounts, which can be used to discern an account's username and profile info, says the report.
  • A phone number
  • A full name
  • A timestamp

The server included a landing page with a login dashboard and welcome note. The news report notes that it is unclear how criminals obtained the user IDs and phone numbers. "One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018," notes the report. 

In addition, Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted. Diachenko also says another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.

According to the news report, “scraping” is a term used to describe a process in which automated bots quickly sift through large numbers of web pages, copying data from each one into a database. "It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot. Scraping is against Facebook’s–and most other social networks’–terms of service," notes the report. 

In April 2019, UpGuard security researchers revealed that two third-party developed Facebook app datasets were exposed to the public internet. One database originated from Cultura Colectiva, a Mexico-based media company, and weighed in at 146 gigabytes with more than 540 million records detailing comments, likes, reactions, account names, Facebook IDs and more.