Facebook accidentally leaks phone numbers of 419 million users

'This is no the first data privacy scandal to hit Facebook but that should not detract from the scale of this breach... it's huge,' security expert warns

Anthony Cuthbertson
Thursday 05 September 2019 16:09 BST
Comments
Facebook has 'once again let users down' with its latest data breach, security experts say
Facebook has 'once again let users down' with its latest data breach, security experts say (AFP)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The phone numbers of hundreds of millions of Facebook users have been discovered online in the latest major data breach for the social network.

A security researcher found 419 million records on an unsecured server, meaning no password was needed to access them.

A total of 18 million were from users in the UK, while around 133 million were from American accounts.

The records contained not only the users’ phone numbers but also their Facebook identification, which can be used to discern a person’s Facebook username.

Some records included the person's gender and location details, according Sanyam Jain, the security researcher who first reported the database to the TechCrunch website.

Security experts said a succession of previous Facebook data breaches should not detract from the severity of the latest scandal.

“With 419 million phone numbers exposed, the volume of this data leak is huge,” Richard Walters, chief technology officer of Censornet, told The Independent. “These details provide cyber criminals with a head start for carrying out fraudulent activity and identity theft... It is unacceptable for companies to suffer data leaks in this way. Once again, Facebook has let its users down.”

One way the phone numbers could be exploited is through so-called SIM-swap attacks, whereby hackers intercept passcodes sent to the numbers for two-factor authentication logins.

This would allow them to break into the personal accounts of Facebook users and view private messages or hijack the user’s posts. They could also intercept one time passcodes to break into any number of personal accounts.

Facebook users whose numbers were exposed will also be vulnerable to spam calls, while one security researcher warned that hackers could actually use the data to hijack someone’s phone.

“In terms of the damage that could be done – the more a hacker knows about you the more powerful they are,” Dmitry Kurbatov, CTO of Positive Technologies, told The Independent.

Facebook CEO Mark Zuckerberg has been forced to address a series of scandals in recent years regarding Facebook users’ personal data
Facebook CEO Mark Zuckerberg has been forced to address a series of scandals in recent years regarding Facebook users’ personal data (AFP/Getty Images)

“For instance, if he has information like name, surname, phone number, birth date, id number – this would probably be enough impersonate you to your mobile carrier. Then he can ask to setup call and SMS forwarding, or to swap the SIM. Essentially from there the number is hijacked.”

Facebook said the phone numbers have now been taken down and claims there is no evidence that any accounts were compromised with SIM-swapping attacks.

“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a Facebook spokesperson said. “The underlying issue was addressed as part of a Newsroom post on 4 April 2018 by Facebook’s chief technology officer.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in