If you use Facebook, like many of us do, then keep reading. As reported in TechCrunch last week, researchers at GDI Foundation discovered an exposed server online containing the phone numbers of over 400 million Facebook users. The server wasn’t password protected, meaning that anyone could have found it.
When asked for a comment, a Facebook spokesperson said that the data had been scraped before Facebook cut off access to user phone numbers back in 2018.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”Jay Nancarrow
Despite Facebook downplaying this incident, the user data appear to have been uploaded into the vulnerable server’s database at the end of last month, but there’s no way to confirm whether the information was stolen prior to Facebook making the change in 2018, or as the result of a more recent breach.
The database was found to include records from users around the world, including 133 million U.S. accounts, 50 million Vietnamese accounts, and 18 million British accounts, among others. The researchers also discovered that some records contained an alarming amount of detail, including users’ name, gender, telephone number and country of residence. This is truly alarming.
How was the data stolen?
The article discusses a technique called scraping. There are several names for scraping, such as web scraping, screen scraping, web data extraction, web harvesting, and more. At its core, scraping is a technique employed by hackers to pull large amounts of data from websites. The data are then typically saved locally on a computer or in a spreadsheet format within a database, which is what happened in this incident.
As stated by the Facebook spokesperson, telephone number search functionality was removed in April 2018. The move was made public in a post by Facebook CTO, Mike Schroepfer.
“Until today, people could enter another person’s phone number or email address into Facebook search to help find them… However,malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So, we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.”Mike Schroepfer
Yet this is just the latest in a string of security-related incidents at Facebook that have exposed millions upon millions of users’ phone numbers to bad actors. This greatly increases the risk of future issues like spam calls and SIM-swapping attacks, which rely on tricking cell carriers into giving a person’s phone number to an attacker. Once the attacker has a victim’s phone number, they can easily force-reset the password on other internet accounts associated with that number.
The real problem with Facebook is their lack of informative guidance. For example, in this post from October 2018, VP of Product Management, Guy Rosen, gives some detail about last year’s breach. He describes the way that tokens (used to help users maintain a session without re-entering a password) were compromised. Then, in an undated post from Facebook’s Help Center, the company states that it invalidated almost 90 million tokens that had potentially been compromised. The post goes on to say: “There’s no need for anyone to change their passwords.”
I can understand Facebook’s desire not to sound alarmist, but this simply is not good advice. Changing a password is a simple and very effective method of restoring account security, and while it may not technically have been required in every case, it’s certainly a good precaution.
Caveat Emptor, Facebook Users
We all know that Facebook isn’t perfect, but they have clearly been too cavalier with our personal information. The company says it is making efforts to improve security for users, but it is still not doing enough. The long and short of it is that the responsibility really falls on us as technology consumers to be more vigilant in how and where we use personally identifiable information. Taking common-sense precautions by regularly changing passwords is one good step. Opting for multi-factor authentication whenever available is another. Ultimately, as with many things in life, it really is a case of buyer beware.
For further reading on this topic, check out Facebook: 419 Million Scraped User Phone Numbers Exposed by Mathew J. Schwartz in Data Breach Today.