An unprotected Elasticsearch database that was accessible from the Internet was recently found to store information on over 267 million Facebook users, according to tech website Comparitech.
Discovered in collaboration with security researcher Bob Diachenko, the database contained user IDs, phone numbers, and names, all of which could be accessed by anyone, without a password or any other form of authentication.
The data, Comparitech says, could have been exploited to conduct large-scale SMS spam and phishing campaigns, as well as for various other nefarious operations.
The Internet service provider (ISP) that manages the IP address of the server where the database was stored was notified and access to the information has been removed.
However, the database was exposed for around two weeks before that, and the information has already been made available for download via a hacker forum.
The database was first indexed on December 4 and emerged on the hacker forum on December 12. Diachenko discovered the database on December 14 and alerted the ISP immediately. As of December 19, the database is no longer available.
The data was likely harvested as part of an illegal scraping operation, but it is also possible that it was gathered by abusing the Facebook API, with cybercriminals in Vietnam being responsible for the operation, evidence suggests.
“Typically, when we find exposed personal data like this, we take steps to notify the owner of the database. But because we believe this data belongs to a criminal organization, Diachenko went straight to the ISP,” Comparitech explains.
The database contained a total of 267,140,436 records, most of the information pertaining to users in the United States. The entries, which appear to be valid, include a unique Facebook ID, phone number, full name, and timestamp.
The server hosting the database had a landing page and a login dashboard and welcome note.
Diachenko says that cybercriminals might have stolen the data via Facebook’s developer API before access was restricted in 2018. It is also possible that the API has a security vulnerability that the attackers abused to access the information even after access was restricted.
In fact, Facebook revealed in November that 100 third-party application developers continued to have access to user data via the Groups API even after access to the information was restricted.
Comparitech also notes that the data might have been gathered from publicly visible Facebook profiles, using automated tools.
“A database this big is likely to be used for phishing and spam, particularly via SMS. Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages,” Comparitech point out.
“We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” a Facebook spokesperson told AFP.
SecurityWeek reached out to Facebook for a comment on the matter and will update the article as soon as a reply arrives.
Update. “We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” a Facebook spokesperson told SecurityWeek.