Researcher Finds Unsecured Information on Millions of Facebook Users
A Ukrainian security researcher has reported finding a database with the information of more than 267 million Facebook users on the open internet, the Associated Press reports.
The data includes names, phone numbers and other identifying information. Nearly all of the users were based in the United States.
Bob Diachenko is an independent security researcher in Kyiv. He told the Associated Press, or AP, that criminals likely collected this data.
Diachenko said he discovered the database using a search engine. The database was freely accessible on the internet for at least 10 days beginning on December 4. He informed the internet provider which hosted the database on December 14 when he found it. Five days later it was no longer available.
Diachenko said someone downloaded the database to a special group website two days before he discovered it. Hackers, or people who secretly get access to computer systems in order to get information or cause damage, use that website. So the database may have been shared among criminals.
Paul Bischoff runs the British technology news website Comparitech. It partnered with Diachenko to report his findings earlier this month. Bischoff has been writing about Diachenko's discoveries of unsecured databases for about a year.
The researcher provided the AP with 10 examples from the database. This included unique user identifications, or IDs, and two phone numbers that were answered, all of which were linked to real Facebook users.
The evidence suggests it was most likely criminals in Vietnam who illegally collected the data. They may have "scraped" it from public Facebook pages or by somehow getting special, high-level access to the service. Scraping is automated data-gathering done by computer programs. A small part of the database includes details on Vietnam-based users.
Diachenko said he did not share the database with Facebook, which did not directly confirm the finding. In a statement, representatives for the social media company said it was investigating the issue. They wrote that the finding "likely" involved information gathered before Facebook took some data-protection measures in recent years. The company did not say what those measures were.
In 2018, the company stopped permitting users to search for one another using their phone numbers. It did so after news spread that the political agency Cambridge Analytica had accessed information on up to 87 million Facebook users without their knowledge or permission.
Diachenko said he had not confirmed when the data was collected. He said all the records appeared to be from January to June of 2019. He added that it was unclear who created them.
Security experts say the affected Facebook users are at higher risk of facing password-stealing attacks and identity stealing attempts. The information can be matched with physical and email addresses and other data collected illegally. Facebook user IDs are unique numbers linked with individual accounts.
In September, the news site TechCrunch reported that a researcher found Facebook IDs and phone numbers for more than 400 million users online.
In March, Facebook admitted that it had left hundreds of millions of user passwords readable by its employees for years after a security researcher reported on it.
I'm Pete Musto.