The phone numbers associated with over 400 million Facebook accounts were exposed online in the latest privacy dilemma for the social media giant.
TechCrunch reported on Wednesday that an exposed server storing 419 million records was found online - 133 million belonging to U.S. users, 50 million Vietnamese users, and 18 million U.K. users. This server was not protected with a password, meaning anyone could access the database up until late yesterday evening once the host took down the site.
Each record contained a user's unique Facebook ID and phone number associated with the account. The users Facebook ID is a long, unique public number associated with the account. But users phone numbers have not been public since access to users' phone numbers was restricted in 2018 following the Cambridge Analytica scandal.
Facebook has confirmed that there is some truth to these allegations but has noted that the number of accounts so far confirmed is less than half of the reported 419 million and that the majority of the data was old and contained duplicates.
Facebook's latest data breach is a textbook example of the issue with storing data online, publicly without password protection. While data exposure is often linked to human error rather than malicious in nature, data exposures such as this put millions of users at risk for spam calls and SIM-swapping. SIM swapping involves tricking cell phone carriers into giving a person's phone number to an attacker which enables the attacker to force-reset passwords on any internet accounts linked to that phone number.
This technique was recently carried out by the hacker group Chuckling Squad to hijack Twitter CEO Jack Dorsey's account and tweet offensive messages and declare a bomb threat. The tweets have since been removed and Twitter has temporarily disabled the feature that allows users to post tweets via SMS.