Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

267 Million Facebook Users Exposed in Accessible Database

An unprotected Elasticsearch database that was accessible from the Internet was recently found to store information on over 267 million Facebook users, according to tech website Comparitech.

An unprotected Elasticsearch database that was accessible from the Internet was recently found to store information on over 267 million Facebook users, according to tech website Comparitech.

Discovered in collaboration with security researcher Bob Diachenko, the database contained user IDs, phone numbers, and names, all of which could be accessed by anyone, without a password or any other form of authentication.

The data, Comparitech says, could have been exploited to conduct large-scale SMS spam and phishing campaigns, as well as for various other nefarious operations.

The Internet service provider (ISP) that manages the IP address of the server where the database was stored was notified and access to the information has been removed.

However, the database was exposed for around two weeks before that, and the information has already been made available for download via a hacker forum.

The database was first indexed on December 4 and emerged on the hacker forum on December 12. Diachenko discovered the database on December 14 and alerted the ISP immediately. As of December 19, the database is no longer available.

The data was likely harvested as part of an illegal scraping operation, but it is also possible that it was gathered by abusing the Facebook API, with cybercriminals in Vietnam being responsible for the operation, evidence suggests.

“Typically, when we find exposed personal data like this, we take steps to notify the owner of the database. But because we believe this data belongs to a criminal organization, Diachenko went straight to the ISP,” Comparitech explains.

The database contained a total of 267,140,436 records, most of the information pertaining to users in the United States. The entries, which appear to be valid, include a unique Facebook ID, phone number, full name, and timestamp.

The server hosting the database had a landing page and a login dashboard and welcome note.

Diachenko says that cybercriminals might have stolen the data via Facebook’s developer API before access was restricted in 2018. It is also possible that the API has a security vulnerability that the attackers abused to access the information even after access was restricted.

In fact, Facebook revealed in November that 100 third-party application developers continued to have access to user data via the Groups API even after access to the information was restricted.

Comparitech also notes that the data might have been gathered from publicly visible Facebook profiles, using automated tools.

“A database this big is likely to be used for phishing and spam, particularly via SMS. Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages,” Comparitech point out.

“We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” a Facebook spokesperson told AFP.

SecurityWeek reached out to Facebook for a comment on the matter and will update the article as soon as a reply arrives.

Update. “We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” a Facebook spokesperson told SecurityWeek.

Related: Facebook: Third-Party App Developers Improperly Accessed User Information

Related: Facebook Says 50M User Accounts Affected by Security Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.