The server was not protected with a password and was accessible to anyone. It featured 133 million records from U.S.-based Facebook users, 18 million records from users in the UK, and 50 million records on users in Vietnam.
The records contained each person’s unique Facebook ID along with the phone number listed on the account. Facebook IDs are unique numbers that can be associated with an account to discover a person’s username.
Facebook restricted access to phone numbers more than a year ago, so the database that was found is older than that. A Facebook spokesperson said that the data had been scraped prior to when Facebook cut off access to phone numbers, calling the dataset “old.”
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”
TechCrunch was able to verify multiple records in the database by matching a known Facebook user’s phone number against a listed Facebook ID. Other records were verified by matching phone numbers with Facebook’s password reset feature, which can be used to partially reveal a phone number linked to an account. Records primarily had phone numbers, but in some cases, also had usernames, genders, and country location.
Phone number security has become increasingly important over the course of the last few years due to SIM-hacking, which involves calling a phone carrier and asking for a SIM transfer for a specific number, thereby giving access to anything linked to that phone number, such as two-factor verification, password reset info, and more.
SIM-hacking requires little more than a phone number and social engineering skills, and it has been devastating for people who have been impacted. Leaked phone numbers also expose Facebook users to spam calls, which have also become more and more prevalent over the last several years.
The database was originally found by security researcher Sanyam Jain, who said that he was able to locate phone numbers associated with several celebrities. It’s not clear who owned the database nor where it originated from, but it was taken offline after TechCrunch contacted the web host. There is no word on why the data was scraped from Facebook or what it was used for.