Another one on Facebook’s cap. An unprotected public database containing over 267 million Facebook user IDs, names, and contact details were left online without password protection. The issue came to light after security firm Comparitech and researcher Bob Diachenko uncovered the leaky Elasticsearch database in a joint investigation.
According to the researcher, the incident occurred due to illegal scraping operation or Facebook API abuse by cybercriminals in Vietnam.
Diachenko stated that 267,140,436 records were exposed in the incident, which could be used by attackers to launch SMS spam and phishing campaigns. The exposed data was also posted on a hacker forum for download.
After discovering the trove on December 14, Diachenko immediately notified the internet service provider managing the IP address of the server. It is said that the database was left exposed for nearly two weeks before it was taken offline on December 19.
“When we find exposed personal data like this, we take steps to notify the owner of the database. But because we believe this data belongs to a criminal organization, Diachenko went straight to the ISP,” Camparitech said in a statement.
It’s still unclear how hackers obtained the user IDs and phone numbers. But, Diachenko said that Facebook’s API could also have a security hole that would allow intruders to access personal data even after access was restricted. One more possibility, according to Diachenko, is that the data was stolen by scraping publicly visible profile pages.
“We are looking into this issue but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” a Facebook spokesperson said in a media statement.
This is not the first time that millions of Facebook users suffered a data breach. Recently, Facebook admitted a data breach involving 100 third-party app developers who had improper data access. In a blog post, Facebook’s Konstantinos Papamiltiadis, Director of Platform Partnerships revealed that app developers had access to user data such as group member names and profile pictures through the Group API.