Facebook Privacy Breach Leaves Hundreds of Millions of Users’ Phone Numbers Exposed
Hundreds of millions of phone numbers linked to Facebook accounts were left exposed on an unprotected server in the latest massive security breach to plague the embattled tech giant.
Up to 419 million phone numbers were stored on a database housed on multiple servers including the numbers of an estimated 133 million US-based users alone. The revelation comes just weeks after Facebook was slapped with a record $5 billion fine by the US Federal Trade Commission for violating users’ privacy rights.
Each phone record was tied to a user’s unique Facebook ID (a long, public number associated with the account), which can then quickly and easily be used to ascertain yet more personal information such as a user’s name, gender and location by country.
This, in turn, can expose users to spam calls and allow hackers to launch SIM-swapping attacks whereby cell phone carriers are tricked into providing a target’s phone number to an attacker. The unscrupulous hacker can then force-reset the password on any online account registered with that number.
This particular method of attack was used against none other than Twitter CEO Jack Dorsey, whose own Twitter account was hijacked. The company announced on Wednesday that it was temporarily disabling the text-to-tweet function due to “vulnerabilities that need to be addressed by mobile carriers.”
The unsecured database has since been pulled offline but the owner has not been identified despite the best efforts of independent cybersecurity professionals, as well as Facebook’s own investigators.
Facebook spokesperson Jay Nancarrow sought to downplay the significance of the breach.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said in a statement. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
Facebook also claims that there are a significant number of duplicates in the database, reducing the likely total of exposed phone numbers by half.