Another trove of phone numbers connected to Facebook user accounts have been discovered in a server online.
GDI Foundation member and security researcher Sanyam Jain found the exposed server, which held data of Facebook users across the globe, from 133 million records of US users to 50 million from Vietnam, reported TechCrunch.
Each of them held the unique Facebook ID of the individual user and the phone number given on the user account, said the report.
The server was not password-protected, giving access to anyone online. Neither the researcher nor TechCrunch was able to find the owner of the server. However, the database was removed after TechCrunch contacted the web host.
A Facebook spokesperson told TechCrunch that the data had been scraped before Facebook severed access to phone numbers of users. The data set was removed and there is no evidence of account compromise, the spokesperson said.
That statement is hardly convincing, say security experts.
"The size of the data breach impacting 419 million user accounts makes it one of the largest data breaches in 2019. The statement from Facebook downplaying the significance of the data breach is an attempt to reduce accountability by stating that the data is old," said Joseph Carson, chief security scientist & advisory CISO at Thycotic.
"However, this does not make any difference when such data does not change, meaning that while old, it is very likely to be still accurate and valid. How often does the Facebook unique ID get changed, and how often do users change their mobile numbers? For the most part, probably never."
A series of missteps that Facebook took has been coming to light since the Cambridge Analytica scandal. It was revealed in 2018 that Cambridge Analytica had accessed and used the personal data of millions of Facebook users without their permission, which was later used to influence the 2016 US presidential election.
This time, the risk faced by Facebook users is unprecedented, warn security experts.
"Having phone numbers leaked is a huge deal and when linked to an online account, the repercussions could potentially be catastrophic," said Jake Moore, cyber-security specialist at ESET.
"The data involved here can be very valuable to attackers, as it contains individuals' unique Facebook ID and phone number," said Erich Kron, security awareness advocate at KnowBe4.
"Because people often share very personal information on social media platforms, scammers can use the breach data to gain a wealth of information about the person and use that for scams. Children's names, online friends and family, political and religious beliefs and other sensitive information is a gold mine for scammers and now it's tied to a phone number," he explained.
"In terms of the damage that could be done - the more a hacker knows about you the more powerful he is," said Dmitry Kurbatov, CTO of Positive Technologies.
"For instance, if he has information like name, surname, phone number, birth date, id number – this would probably be enough impersonate you to your mobile carrier. Then he can ask to setup call and SMS forwarding, or to swap the sim. Essentially from there the number is hijacked."
"For almost a decade, we have enabled people to download their information from Facebook, and we recently improved our tools to make it easier to take that information to another service," Facebook’s chief privacy officer Erin Egan wrote in the announcement.
"But we’re confident we can offer people even more control through a new generation of data portability tools that protect privacy and support innovation," he added.
Sam Curry, chief security officer at Cybereason, termed Facebook Privacy an oxymoron.
"The latest exposure appears to be of old data, and comes after Facebook improved security by disallowing people to be searched using their phone numbers. It is likely, however, that more databases like this one could be discovered in the future and Facebook user-related information could continue to seep into the wild," he said.
With no way of verifying whether Facebook users were caught up in this breach, they should consider using an authenticator app rather an SMS-based two-factor authentication, said ESET’s Moore.
"And whilst they are at it, they should also consider changing all of their accounts, where possible, to app-based authenticators or a hardware security key form of verifying. These encrypt a one-time code sent over the network and stop any prying eyes from easily stealing your profile or even identity," he added.