Personal information belonging to more than 267 million Facebook users has been exposed in an unsecured database on the dark web, it has emerged.
The Facebook IDs, phone numbers and full names of 267,140,436 users, most residing in the US, were discovered in the database by cybersecurity firm Comparitech and researcher Bob Diachenko, according to a report published Thursday.
The report warned that people identified in the database could be targeted by spam messages or phishing schemes.
Although it is not yet clear how the sensitive information was exposed, Diachenko traced the database back to Vietnam and speculated that it may have been compiled through an illegal process called ‘scraping’ – where automated bots copy public information from Facebook profiles – or stolen directly from Facebook’s developer API.
Access to the database has since been removed, however, the records appeared to have been available without a password to anyone without authentication for two weeks before it was uncovered. A downloadable link to the data had also been posted to a popular hacker forum.
The security breach follows a massive leak in September in which more than 400 million user phone numbers were exposed -and then there was the major scandal in 2018.
It was revealed that Cambridge Analytica had harvested the personal data of millions of peoples’ Facebook profiles without their consent and used it for political advertising purposes.
A Facebook spokesperson confirmed to DailyMail.com that the database had been taken down and said: ‘We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information.’
Facebook removed phone-number information from its API in April 2018 in the wake of the Cambridge Analytica scandal – meaning that the numbers included in the database are likely more than 18 months old.
Comparitech’s Paul Bischoff reported that the database first appeared online on December 4. The data was shared publicly on a forum for hackers on December 12.
Diachenko discovered the database on December and immediately reported it to the internet service provider managing the IP address as he suspected the data belonged to a criminal organization.
Though the database is no longer available online as of Thursday, it is possible that it was copied elsewhere prior to being taken down, Comparitech warned, noting that all the data appeared to be valid.
Each of the more than 267 million records exposed included a full name, phone number, time stamp and unique Facebook ID.
Facebook IDs are unique, public numbers associated with specific accounts, which can be used to determine an account’s username and other profile information, according to Comparitech.
Bischoff said experts are not sure how the information landed in the hands of cyberthieves, but they have their suspicions.
The first possibility is that the hackers stole the data from Facebook’s developer API prior to Facebook restricting access to phone numbers last year.
Diachenko told Comparitech: ‘Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted.’
Another possibility is that the cyber criminals used an illegal process called ‘scraping’.
This involves bots combing through numerous web pages and copying data as they go along.
‘A database this big is likely to be used for phishing and spam, particularly via SMS. Facebook users should be on the lookout for suspicious text messages,’ Bischoff wrote.
‘Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages.’
Comparitech advised users to reduce their risk of being targeted in future data breaches by tightening their security settings to limit the amount of information visible to the public.
Facebook has suffered a number of other data breaches in the past year. A similar database with personal information for more than 400 million users was discovered in September.
The social media giant came under fire in 2018 for providing the information of 87 million users to Cambridge Analytica. Only 270,000 of those users had given permission for their data to be shared.
The information was then used by Cambridge Analytica for political advertising purposes, as it helped them design software that could predict and influence voters’ choices at the ballot box.
However, the university center did sue Facebook CEO Mark Zuckerberg for defamation after claiming Facebook used them as a ‘scapegoat’ when the event surfaced.
Cambridge University researcher Aleksandra Kogan was behind an app that helped to harvest data from the Facebook users.
He is taking social media founder Zuckerberg to court after the company said that he had lied about how the data was going to be used.
Zuckerberg and other executives have said Kogan told them the data was for academic purposes not political campaigns.
However, just four months ago, another massive leak occurred.
Phone numbers linked to more than 400 million Facebook accounts were posted online in September.
According to TechCrunch, 133 million US accounts, more than 50 million in Vietnam, and 18 million in Britain were among 419 million records left in an open online server that was not secured with a password.
This includes, according to the person who unearthed the database, profiles and phone numbers of some celebrities.
Facebook did confirm the report, but said the total number was likely to be around half because of duplicate entries.