Nearly 270 million Facebook users have had their user IDs, phone numbers and names left in an unsecured database accessible on the Internet for anyone to mine, a security researcher said.
The information was found in a database that could be accessed without a password or other authentication, according to Bob Diachenko, a Ukrainian independent security researcher who discovered the vulnerability. The event was reported in a blog posted on the Comparitech website, a U.K.-based resource of information, tools, and products comparisons to help consumers with buying decisions. Comparitech and Diachenko collaborate to uncover unsecured databases and report them to the public.
In total 267,140,436 records were exposed. The user data may have been swiped as part of a scraping operation perhaps by cyber criminals in Vietnam, Diachenko said. It also could have come from Facebook API negligence. “Scraping” is a process in which automated bots search out and copy specific, publicly available data into a database.
“Typically, when we find exposed personal data like this, we take steps to notify the owner of the database, Comparitech wrote in the blog post. “But because we believe this data belongs to a criminal organization, Diachenko went straight to the ISP.”
Diachenko apparently uncovered the database using the open source Elasticsearch engine, surmising that it was accessible online from December 4, 2019 to at least December 14, 2019, when he found it and notified the internet provider. Five days later the database had been locked down but on December 12, a hacker had already posted it as a download on an underground forum. The likelihood is the information in the database could be used for SMS spam attacks or phishing campaigns, the blog said.
While Diachenko did not share the database with Facebook, the social network told Comparitech that it was investigating the data exposure and had made an early determination that the data was mined before Facebook upgraded its data protection in the past few years. All of the records had time stamps from January to June 2019, according to Diachenko, but it was unclear when the data was collected or who generated the time stamps, the blog said.
Facebook has left sensitive data exposed a number of times before. Last September, Diachenko found another database with 419 million vulnerable Facebook records. A month later, nearly 30 million records were stolen. A year ago, a photo API bug enabled third-party apps to see pictures belonging to nearly 7 million users the apps weren’t authorized to access. In September, 2018, Facebook said it had exposed certain information on more than 50 million accounts in the largest known security breach in the company’s history to date. Last April, third-party contractors exposed more than a half million accounts. In November, thieves stole personal banking and payroll information of nearly 30,000 current and former Facebook employees in a heist of corporate hard drives from a worker’s car. And, of course, there’s the 87 million user exposure in the Cambridge Analytica flap.
Diachenko has previously discovered a trove of two million online records left exposed by Tarte Cosmetics, a New York City-based maker of beauty products sold by high-end retailers. In addition, last August he found that hackers have pilfered some 700,000 customer records from the giant Choice Hotels chain.