A database holding more than 267 million user IDs, phone numbers and names of Facebook users was left exposed on the internet without requiring any form of authentication to access.
Security researcher Bob Diachenko along with Comparitech discovered the database during their regular security audits of exposed databases using public search engines such as BinaryEdge.
"The database was first available online and then made its way to dark web," Diachenko told SC Media UK.
The database was first indexed on 4 December and the data was posted as a download on a hacker forum a week later. On discovering the database on 14 December, Diachenko immediately sent an abuse report to the ISP managing the IP address of the server.
Usually, the owner of the exposed database is alerted. However, the team assessed that corralled data like this belonged to a criminal organisation, Diachenko went to the ISP. The database could not be found online on 19 December.
The evidence amassed indicates that the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, wrote Comparitech.
However, it was hard to assess whether this was part of the click, troll and adware farms that reportedly exist in Asian countries or from another group of data-scrapers, Diachenko said.
"It is hard to say exactly, but from what I've seen it was a paid or subscription-based service where one can check for this data online."
The database had only phone numbers, full names and Facebook user IDs were there, which were verified by the team. This data could be used in tracing out the user’s identity, he told SC Media UK.
"This data might be used as a first step to create a full profile on you. For instance, your phone number associated with your Facebook profile can be part of another data breach where your email is exposed (and maybe other data). Then, step by step, by cross-referencing the data with other breaches, leaks and even open sourced information, you can be targeted by a sophisticated phishing or credential stuffing campaign."
Facebook is doing the necessary steps, such as disabling using phone numbers meant for two-factor authentication to suggest friends you may know, in order to mitigate such risks but "it should have been done much earlier", he said.
Instances like these should prompt consumers to pay close attention to the security policies of apps storing personal information such as phone numbers and email addresses, noted Michael Magrath, global regulations and standards director OneSpan.
"Consumers should know that email and SMS are two of the least secure authentication methods, and should look out for new, more secure multi-factor authentication methods for identity verification in apps, such as biometrics, to enable stronger authentication. At the very least, users should be cautious of unsolicited text messages and recheck their Facebook privacy settings."