IT-related reviews and research, Comparitech, in collaboration with security researcher Bob Diachenko, has found that the phone numbers and names of more than 267 million Facebook users are published in an online database that anyone can access. At the time of writing, the database has already been deleted, but the data has also been leaked to the hacker forum, and Comparitech has warned that the data is at risk of being used for SMS spam and phishing scams.
comparitech and Diachenko are searching for unsecured databases online and reporting problems such as data leaks. On December 14, 2019, Diachenko discovered that a large amount of Facebook user data had been published online as an Elasticsearch database. The database stored a total of 26,714,436 Facebook user data, and most of the affected users were residents of the United States. Each record also included Facebook’s account ID, phone number and full name. Diachenko believes the data breach was not accidental, but that a malicious person was likely intentionally leaked.
According to Diachenko, it took about two weeks from the time the database was finally deleted, and the timeline that went from data leakage to database deletion progressed on the following timeline:
December 4, 2019: The database is indexed first.
December 12, 2019: Data will be posted to the hacker forum with downloadable.
December 14, 2019: Diachenko discovers the database and immediately sends an exploit report to the ISP that manages the IP address of the server.
December 19, 2019: The database will be deleted.
In general, if you discover that a database is published online and personal information is leaked, it is common to first follow the steps to notify the database owner. However, Diachenko explained that he had contacted the ISP directly because he believed the data leak was apparently from a malicious criminal organization.
It’s not clear how the culprit got Facebook’s account ID and phone number, but before Facebook restricts access to phone numbers from the Facebook API for developers in 2018, You may have stolen through the Facebook API under the guise of a third-party developer. Diachenko also noted that even after the Facebook API restricts access to phone numbers, there may still be security holes where criminals can access more detailed information. Another possibility is that data was collected using web scraping from a profile page published on Facebook. Although scraping, in which automated bots copy data from web pages, violates most social networking terms, including Facebook, it is difficult to actually prevent scraping. Many people set their Facebook profile public, but if you want to reduce the damage caused by scraping, you need to limit the scope of your profile. Information such as phone numbers and names stored in the leaked database could be used for spam and phishing scams via SMS. Comparitech is alarming that Facebook users need to pay attention to suspicious text messages. Even if the sender knows personal information, including his or her name, it is dangerous to trust it easily because it can collect more personal information based on the leaked information. Diachenko points out that the included Vietnamese on the welcome page linked to the database and the login dashboard is likely to be the Vietnamese involved in the spill.