Unprotected databases are behind a leak that exposed information, including unique identifiers and phone numbers, on more than 419 million Facebook users – 133 million of those records belonging to users in the U.S.
Security researcher Sanyam Jain, a GDI Foundation member, discovered the databases, which were not password-protected. The records were apparently scraped from the social media platform more than a year ago before the company "made changes last year to remove people's ability to find others using their phone numbers," a TechCrunch report cited a Facebook spokesman as saying.
“Think hard before giving your phone number to any social networking business – they are in the business of aggregating and monetizing consumer data,” warned Lucy Security CEO Colin Bastable. “And the phone number can be used to compromise your account. Online businesses often ask for the number “in case you need to recover access to your account.”
Jonathan Bensen, CISO at Balbix, said, “Armed with phone numbers, a threat actor can hijack accounts associated with that number by having password reset codes sent to the compromised phone as well as attempt to trick automated systems from victims’ banks, healthcare organizations, and other institutions with sensitive data into thinking the attacker is the victim.”
Bensen contended,”Exposed individuals even put their employers at risk; attackers can leverage stolen numbers to obtain unauthorized access to work email and potentially expose more data.”
The exposed data is the latest in a string of privacy and data protection missteps by Facebook, which had fallen under intense scrutiny after it suspended Cambridge Analytica —the data analytics firm used by the Trump and Brexit campaigns to target voters—for violating its policies when it collected the personal data from accounts of 50 million Americans without their permission.
In July, the Federal Trade Commission (FTC) penalized Facebook $5 billion as punishment for what it described as deceptive privacy practices, and imposed new restrictions on the social media giant. Facebook likewise announced that it had agreed to the terms of the deal.
Just last week the social media giant released a string of emails related to data scraping that discuss the its internal conversation over the possibility that some Facebook contractors were violating the company’s terms of service when extracting data from profiles.
The documents were released due to agreement between Facebook and the District of Columbia attorney general’s office. Facebook originally refused the attorney general’s request for the documents to be released as they were part of court filings in connection with the attorney general’s lawsuit against Facebook over the Cambridge Analytica breach. However, last week the two sides came to terms and Facebook agreed to release redacted versions. The information contained in these emails had already been included in court documents filed previously.
But Facebook is hardly alone in sketchy privacy practices. “Microsoft’s LinkedIn does the same thing. So many people and organizations pay have access to data that Facebook, Alphabet and Twitter hold, and collectively Big Tech has an atrocious record of securing data,” Bastable noted.
He pointed out that “we have just learned about Google running secret web pages to aggregate and sell consumer data for targeted advertising,” contending “there is no altruistic purpose in requesting or holding consumer data – everything is for sale.”
