Facebook in fix over fresh privacy lapse, phone numbers of 400 million users leaked
Phone numbers linked to more than 400 million Facebook accounts were listed online in the latest privacy lapse for the social media giant, US media reported on Wednesday.
An exposed server stored 419 million records on users across several databases — including 133 million US accounts, more than 50 million in Vietnam, and 18 million in Britain, according to technology news site TechCruch.
The databases listed Facebook user IDs — unique digits attached to each account — the profiles’ phone numbers, as well as the gender listed by some accounts and their geographical locations, TechCrunch reported.
The server was not password protected, meaning anyone could access the databases, and remained online until late Wednesday when TechCrunch contacted the site’s host.
Facebook confirmed parts of the report but downplayed the extent of the exposure, saying that the number of accounts so far confirmed was around half of the reported 419 million. It added that many of the entries were duplicates and that the data was old. The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised, a Facebook spokesperson told AFP.
Following the 2018 Cambridge Analytica scandal, when a firm used Facebook’s lax privacy settings to access millions of users’ personal details, the company disabled a feature that allowed users to search the platform by phone numbers.
The tech giant’s spokesperson did not respond to questions about whether Facebook would inform users whose information was exposed or offer any mitigation to those affected, saying only that the company was still investigating.
Facebook’s characterisation of the data as “old” notwithstanding, phone numbers are an increasingly important key to people’s identities – and a potential vulnerability. While not as sensitive as a social security number, they are important identifiers that can be used to easily obtain significant amounts of personal information about an individual and their family from online data brokers, as the New York Times reported in August.
Skilled attackers can often leverage a mobile phone number and information gained through data brokers or social media sites (such as home address, previous addresses, family members, etc) to persuade mobile phone carriers to transfer a target’s phone number to a different phone.
The latest high-profile victim of this type of attack, which is known as Sim swapping, was Twitter chief executive officer Jack Dorsey, whose Twitter account was hijacked on Friday by a hacking group that appears to have gained control of his mobile phone number.
On Wednesday, Twitter announced that it was temporarily disabling the ability for users to send tweets through SMS, or text messages, due to “vulnerabilities that need to be addressed by mobile carriers”.
The latest lapse comes amid growing concern among US policymakers about the privacy of online users and has sparked calls for new legal protections in Congress.
The US Justice Department also recently said that it is launching a broad antitrust probe into the competitive practices of large tech companies like Facebook.