A server with databases holding the phone numbers and identity numbers of perhaps as many as 200 million Facebook users in the U.S., the U.K. and other countries has been found open on the Internet by a security researcher.
No one knows who the database belongs to, how or when it was copied from Facebook, according to TechCrunch, which first reported the discovery Wednesday.
A total of 413 million records are in the databases, but according to news reports, roughly half of them are duplicates.
TechCrunch quoted Facebook spokesperson Jay Nancarrow as saying the data had been scraped before Facebook cut off public access to user phone numbers over a year ago. Until then users could search the social media site for phone numbers.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” Nancarrow said. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
However, TechCrunch noted that in the hands of a threat actors a phone number could be used at least for spam calls, and at worst for SIM-swapping attacks, where a cell carrier is tricked switching the phone number of a user to another device.
Each record in the databases contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account. TechCrunch said it can easily be used to discern an account’s username. Some of the records also had the user’s name, gender and location by country.
TechCruch said this is a typical page found in the database:
Sanyam Jain, a security researcher and member of the GDI Foundation, found the database and contacted TechCrunch after he was unable to find the owner. The news site also couldn’t find the owner but was able to identify the web host, who pulled the server offline.