11 Sep 2019
A server without password protection gave anyone access to more than 419 million Facebook users’ private information globally. Each accessible record contained a user’s Facebook ID, phone number, and location. Some even had the user’s name.
This latest in a long string of incidents for Facebook exposed millions of users to significant risk to spam calls and SIM-swapping schemes, even a force-reset password on any internet account associated with that number.
Sanyam Jain, a security researcher and member of the GDI Foundation, found the database. When he was unable to determine the owner he contacted TechCrunch who contacted the web host. The database was then pulled offline.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” stated Jay Nancarrow, a Facebook spokesperson. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
Regardless, the data was there, and serves as a reminder to us all that data should never be stored online or publicly without a password.