The phone numbers of hundreds of millions of Facebook users have been discovered online in the latest major data breach for the social network.
A security researcher found 419 million records on an unsecured server, meaning no password was needed to access them.
A total of 18 million were from users in the UK, while around 133 million were from American accounts.
The records contained not only the users’ phone numbers but also their Facebook identification, which can be used to discern a person’s Facebook username.
Some records included the person’s gender and location details, according Sanyam Jain, the security researcher who first reported the database to the TechCrunch website.
Security experts said a succession of previous Facebook data breaches should not detract from the severity of the latest scandal.
“With 419 million phone numbers exposed, the volume of this data leak is huge,” Richard Walters, chief technology officer of Censornet, told The Independent. “These details provide cyber criminals with a head start for carrying out fraudulent activity and identity theft… It is unacceptable for companies to suffer data leaks in this way. Once again, Facebook has let its users down.”
One way the phone numbers could be exploited is through so-called SIM-swap attacks, whereby hackers intercept passcodes sent to the numbers for two-factor authentication logins.
This would allow them to break into the personal accounts of Facebook users and view private messages or hijack the user’s posts. They could also intercept one time passcodes to break into any number of personal accounts.
Facebook users whose numbers were exposed will also be vulnerable to spam calls, while one security researcher warned that hackers could actually use the data to hijack someone’s phone.
“In terms of the damage that could be done – the more a hacker knows about you the more powerful they are,” Dmitry Kurbatov, CTO of Positive Technologies, told The Independent.
“For instance, if he has information like name, surname, phone number, birth date, id number – this would probably be enough impersonate you to your mobile carrier. Then he can ask to setup call and SMS forwarding, or to swap the SIM. Essentially from there the number is hijacked.”
Facebook said the phone numbers have now been taken down and claims there is no evidence that any accounts were compromised with SIM-swapping attacks.
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a Facebook spokesperson said. “The underlying issue was addressed as part of a Newsroom post on 4 April 2018 by Facebook’s chief technology officer.”