Yesterday, TechCrunch reported of an exposed server with more than 419 million records from Facebook phone numbers are discovered online. According to Zack Whittaker, TechCrunch security reporter, the server was not protected with a password and was accessible to anyone. It featured 133 million records from U.S.-based Facebook users, 18 million records from users in the UK, and 50 million records on users in Vietnam.
The records contained each person’s unique Facebook ID along with the phone number listed on the account. Facebook IDs are unique numbers that can be associated with an account to discover a person’s username.
TechCrunch was able to verify multiple records in the database by matching a known Facebook user’s phone number against a listed Facebook ID. Other records were verified by matching phone numbers with Facebook’s password reset feature, which can be used to partially reveal a phone number linked to an account. Records primarily had phone numbers, but in some cases, also had usernames, genders, and country location.
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a Facebook spokesperson said to TechCrunch. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised,” they added.
The database was originally discovered by security researcher and a member of GDI Foundation, Sanyam Jain, who was able to locate phone numbers associated with several celebrities as well. It’s not clear who owned the database or where it originated from, but it was taken offline after TechCrunch contacted the web host.
Phone number security has become increasingly important over the course of the last few years due to SIM-hacking. This technique of hacking involves calling a phone carrier and asking for a SIM transfer for a specific number, thereby giving access to anything linked to that phone number, such as two-factor verification, password reset info, and more. Leaked phone numbers also expose Facebook users to spam calls, which have become more and more prevalent over the last several years.
Last week one of the security & privacy researchers, Jane Manchung Wong, in a series of tweets showed a Global Library Collector in the Facebook’s Android App code. According to Wong this GLC allows the mobile app to upload data from user’s device to Facebook servers. The tweet went viral and the general public had their say in it.
Facebook scans system libraries from their Android app user’s phone in the background and uploads them to their server
This is called "Global Library Collector" at Facebook, known as "GLC" in app’s code
It periodically uploads metadata of system libraries to the server pic.twitter.com/olwk1BPMoQ
— Jane Manchun Wong (@wongmjane) August 30, 2019
Most responses received from mobile app developers said that it is a known fact and Android phones upload system libraries to Facebook server to check the app stability. And the libraries do not contain any personal data. However, this report by TechCrunch is the latest security lapse involving Facebook and user’s personal data after a string of data breach incidents since the Cambridge Analytica scandal.
On Hacker News, the community expressed their distrust of Facebook’s statements. On user commented, “Facebook: “This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers.”
Not that “old.” Some of those “update” dates are just a few days ago.”
Another user commented, “But the data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new.
Somewhat curious what the Status key represents in this dump, personally.”
What’s new in security this week?