More than 267 Million Facebook User IDs Exposed

February 12, 2020

An Elasticsearch database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication.

According to a Comparitech report, Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. Diachenko believes the database is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence. In addition, Diachenko immediately notified the internet service provider managing the IP address of the server so that access could be removed, but the data had already been posted to a hacker forum as a download.

The information contained in the database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end users, warns the report.

The database was exposed for nearly two weeks (December 4, 2019 -December 19, 2019) before access was removed. In total, 267,140,436 records were exposed - and most of the affected users were from the United States. Diachenko says all of them seem to be valid. Each contained:

A unique Facebook ID
A phone number
A full name
A timestamp

The report notes that the server included a landing page with a login dashboard and welcome note. Facebook IDs, which are unique, public numbers associated with specific accounts, can be used to discern an account’s username and other profile info, says Comparitech.

It isn’t entirely clear how criminals obtained the user IDs and phone numbers, notes the report. However, there are two possibilities, Diachenko and Comparitech say:

The data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted.
The data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.

To find out more, visit the Comparitech report.

I want to hear from you. Tell me how we can improve.

BNP Media Owner & Co-CEO, Tagg Henderson

You must login or register in order to post a comment.

Chad Schermerhorn, Security Expert at Brivo, will discuss how your physical security stack should be an operational asset. It should be based on the strongest, and most-up-to-date smart security that can protect you today and adapt for unexpected threats that may come.

DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

Security Magazine

2020 June

This month in Security magazine, we highlight COVID-19 and infosec's response. How has the sudden shift to remote work changed the roles of CISOs and security teams? Also this month, we profile Justin Dolly, CSO at Sauce Labs, his view on infosec and building security teams. In addition, security experts discuss continuous monitoring, radicalism, quantum technology, endpoint security and more.

View More Create Account

More than 267 Million Facebook User IDs Exposed

Related Articles

Report Abusive Comment