TechCrunch reports that a security researcher stumbled across an exposed server on the internet containing databases with a total of more than 419 million records related to Facebook users.

According to TechCrunch’s reporting, each database record contains a user’s unique Facebook account ID (from which it’s possible to determine a user name) and phone numbers attached to the account. The treasure trove of data included 133 million records from US-based Facebook users, 18 million from the UK and 50 million records related to Vietnamese Facebook users.

DevOps Experience

But worst of all, with no password protection in place on the server, literally anybody with an internet connection could access the sensitive data.

Part of the exposed database. Source: TechCrunch

No one is suggesting that hackers compromised Facebook in order to collect the data. Additionally, the exposed databases were not found on servers used by Facebook itself. But in all likelihood, the data was scraped from millions of Facebook users’ profiles by a third-party, perhaps one which had created an app which connected with Facebook accounts. This data scraping was assisted no doubt by users who were not aware of what was occurring or did not understand the implications of what they were allowing.

According to a Facebook spokesperson, the exposed data was collected before Facebook restricted access to users’ phone numbers:

This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.

However, the fact that the data may have been initially collected some years ago misses the point. It’s not uncommon for people to keep the same phone number for many years, and if an online company like Facebook did not do enough (Read more...)