More than a year after Facebook-Cambridge Analytica episode, Facebook is once again in the news on the privacy breach. As per the latest report, an online database had access to phone numbers of 419 million Facebook users - 133 million US users, 18 million UK users and around 50 million users in Vietnam. These records were stored in an online server that was not password protected.
This includes users' unique Facebook ID and the phone number listed on the account, reported TechCrunch. A user's Facebook ID comprises unique numbers that are associated with an account to discover a username on Facebook.
Sanyam Jain, a security researcher and member of the GDI Foundation, found out that the database was able to locate phone numbers associated with several celebrities.
At the time of reporting, TechCrunch had verified multiple records in the database by matching a known Facebook user's phone number against a listed Facebook ID. They even verified other records by matching phone numbers with Facebook's password reset feature, which can be used to partially reveal a phone number linked to an account. Records primarily had phone numbers, but in some cases, also had usernames, genders and country location.
While the database was taken offline after TechCrunch contacted the web host, Facebook has confirmed the incident and is investigating the same. This is expected to be an old database as in April 2018, Facebook had restricted data access, and numbers had not been made available in public.
A Facebook spokesperson says that this data set is old and appears to have information obtained before Facebook made changes last year to remove people's ability to find others using their phone numbers. The data set has been taken down and the company has seen no evidence that Facebook accounts were compromised.
Facebook has not yet clarified whether the company plans to inform users whose data has been exposed. The exposed data put millions of users at the risk of growing SIM swapping attacks and spam calls. Having access to the user ID and phone numbers, attackers can even use this information to force-reset passwords for almost any internet-based account associated with the same number.
There has been increasing number of instances of data breaches in the recent past. Just last week, Twitter CEO Jack Dorsey's account was hacked and Twitter had temporarily shut down the feature to tweet via text messages.