Millions of Facebook users have had their data being exposed online. This follows a discovery by security researchers who found an unsecured database containing personal details to 267 million Facebook users. The database was reportedly left open for nearly two weeks.
It was first discovered on 14th December but was first indexed on 4th December.
The database contained personal information of users ranging from full names, phone numbers, and Facebook user IDs. Other details like payment information are said not to have been exposed.
The team – security researcher Bob Diachenko along with Comparitech, said that they discovered an unsecured Elasticsearch database rich in personal details of millions of Facebook users. The most affected users reside in the US. Users who have not set their profiles to private have been said to be the most affected ones.
The team already notified the host of the database, who has since pulled it offline. These data had already been shared on a hacker forum two days after it first appeared online on Dec 12th, according to Diachenko.
It is not yet known how these data were obtained, but the first theory trying to explain this is that the data may have been stolen from Facebook’s developer API. If that is true, then this might have happened before the company restricted developer access to users’ personal data like phone numbers in 2018.
Another way this data could have been obtained is through scraping. Or, the Facebook API may have a glitch that could still let developers access this type of data from users.
“A database this big is likely to be used for phishing and spam, particularly via SMS,” Diachenko said. “Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages.”
The researchers recommend that users should update their privacy settings to private which decreases the chance of their data being scraped.
Facebook has not commented on the matter, to date. This is, however, not the first time this is happening. Back in September, TechCrunch discovered an open server with hundreds of millions of phone numbers belonging to Facebook users.