The phone numbers of hundreds of millions of Facebook users are still online, turning up in a new database in an alarming twist.
While the original server containing the Facebook data was already taken down, new reports revealed that another user appears to have taken the data and posted them in another server.
An Unprotected Server Leaks Millions Of User Records Online
TechCrunch first reported the data leak, revealing that security researcher Sanyam Jain found an unprotected server with over 419 million records of Facebook users in the United States, United Kingdom, and Vietnam. Since the server is not protected with a password, it could be accessed by anyone and users on the database could be at risk of spam calls and other online attacks.
Facebook representative Jay Nancarrow said that the data appears to be scraped from a now-defunct feature allowing users to find each other using just phone numbers.
"The data set has been taken down and we have seen no evidence that Facebook accounts were compromised," Nancarrow told TechCrunch.
However, the same data seems to have popped up in a new server almost immediately after the first one was taken down.
In a report from CNET, cybersecurity firm WebProtect CEO Elliott Murray revealed that he came across the same type of data in an unsecured database on Thursday, Sept. 5. According to him, it was almost the same data as the ones found in the server that was taken down.
"Databases of this scale don't come often, and it's clear from the data contained that the two match," Murray explained.
It's possible that a third-party individual may have gotten hold of the data — some, if not all of it — before Facebook took down the unprotected server, The Verge noted.
CNET reached out to a person whose current phone number was listed on the database associated with Facebook cofounder Chris Hughes. This person, who acquired the phone number earlier this year, has reportedly been contacted repeatedly by people who are trying to reach Hughes.
The Dangers Of Data Leaks
With companies moving their databases online, the privacy risks increases, especially when servers are left without passwords. These servers can be accessed by anyone online as long as they have the IP address with plenty of individuals hunting down these unsecured databases on the internet.
Eva Velasquez of the Identity Theft Resource Center pointed out to CNET that this doesn't just expose consumers to scam, but also to all kinds of fraud. With just a name and a phone number, malicious players could already enable scammers to wreak havoc.