27 September 2023

Facing failure: How Facebook’s exposed user data is popping up online

Start the conversation

Nick Statt* says millions of Facebook users’ phone numbers may still be exposed online.


Image: Hermann Traub

Data scraped from an exposed Facebook database containing user phone numbers and information that linked those phone numbers to names and other profile information has popped back up in a separate online repository, even after the initial database was mysteriously pulled offline, according to a report earlier this month from CNET.

The initial, unprotected database contained more than 400 million records of Facebook users across the US, UK, and Vietnam.

The exposure, reported first by TechCrunch two weeks ago, is believed to have affected about 200 million users.

Speaking with UK security researcher Elliott Murray, CNET reports that the current trove of phone number data appears to have been completely scraped from the earlier database.

It’s unclear who owns either database, but Facebook confirmed the data was scraped from a server that stored it as part of a feature that let users look one another up by their phone numbers.

Facebook has not said how the data was taken off Facebook servers and why it was available online without any form of security protection.

After TechCrunch and security researcher Sanyam Jain contacted the web host of the initial server on 4 September, the owner took the database offline.

“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a Facebook spokesperson told TechCrunch at the time.

“The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”

However, it appears some other third party got its hands on the data before Facebook did and has copied at least some of it, if not all of it, on to a separate server.

Murray told CNET the data found in this new database is “almost certainly the same” as the information in the initial one.

Murray did not disclose where or how he came across the new database.

CNET also contacted someone whose phone number was shown in the database to have once been linked to Facebook co-founder Chris Hughes, and the person, who declined to be named, said they obtained the phone number earlier this year and are often contacted mistakenly for people looking for Hughes.

Facebook did not respond to a request for comment on whether this information was identical to the scraped data in the previous database, and how it plans to manage the takedown of this data now that it is no longer stored on one of its own servers.

* Nick Statt is a reporter and News Editor for The Verge. He tweets at @nickstatt. His website is nstatt.com.

This article first appeared at www.theverge.com.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.