267 Million Facebook Users' Private Details Exposed, Shared on the Dark Web
Names, phone numbers, email addresses and more for sale on the dark web
A cybersecurity firm has issued a warning after discovering the personal details of 267 million Facebook users have been uploaded to a database on the dark web where they are being sold-on and redistributed.
The Facebook IDs, names, phone numbers, and email addresses of 267,140,436 mostly-American users have been exposed in an unsecured database on the dark web, where they can be bought by spammers and hackers.
The data was discovered in the database by researcher Bob Diachenko and cybersecurity firm Comparitech, according to a report published Thursday.
The report warns that people identified in the database could be the target of spam messages or phishing schemes.
While it's not yet known how the sensitive information was exposed, Diachenko traced the database back to Vietnam and believes it may have been stolen directly by hacking Facebook's developer API.
Otherwise, it could have been compiled through an illegal process called "scraping" – where automated bots copy public information from Facebook profiles.
Access to the database has since been removed, however, the records appeared to have been available without a password to anyone without authentication for two weeks before it was uncovered, according to the Daily Mail.
A downloadable link to the data had also been posted to a popular hacker forum.
The security breach follows a massive leak in September in which more than 400 million user phone numbers were exposed -and then there was the major scandal in 2018.
It was revealed that Cambridge Analytica had harvested the personal data of millions of peoples' Facebook profiles without their consent and used it for political advertising purposes.
A Facebook spokesperson confirmed that the database had been taken down and said: "We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people's information."
Facebook removed phone-number information from its API in April 2018 in the wake of the Cambridge Analytica scandal - meaning that the numbers included in the database are likely more than 18 months old.
Comparitech's Paul Bischoff reported that the database first appeared online on December 4.
The data was shared publicly on a forum for hackers on December 12.
Diachenko discovered the database in December and immediately reported it to the internet service provider managing the IP address as he suspected the data belonged to a criminal organization.
Though the database is no longer available online as of Thursday, it is possible that it was copied elsewhere prior to being taken down, Comparitech warned, noting that all the data appeared to be valid.
Each of the more than 267 million records exposed included a full name, phone number, timestamp, and unique Facebook ID.
Facebook IDs are unique, public numbers associated with specific accounts, which can be used to determine an account's username and other profile information, according to Comparitech.
Bischoff said experts are not sure how the information landed in the hands of cyberthieves, but they have their suspicions.
The first possibility is that the hackers stole the data from Facebook's developer API prior to Facebook restricting access to phone numbers last year.
Diachenko told Comparitech: "Facebook's API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted."
Another possibility is that the cybercriminals used an illegal process called "scraping."
This involves bots combing through numerous web pages and copying data as they go along.
"A database this big is likely to be used for phishing and spam, particularly via SMS," Bischoff wrote.
"Facebook users should be on the lookout for suspicious text messages."
"Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages."
Comparitech advised users to reduce their risk of being targeted in future data breaches by tightening their security settings to limit the amount of information visible to the public.
Just three months ago, another massive leak occurred.
Phone numbers linked to more than 400 million Facebook accounts were posted online in September.
According to TechCrunch, 133 million US accounts, more than 50 million in Vietnam, and 18 million in Britain were among 419 million records left in an open online server that was not secured with a password.
This includes, according to the person who unearthed the database, profiles and phone numbers of some celebrities.
Facebook did confirm the report but said the total number was likely to be around half because of duplicate entries.