Facebook has confirmed that 419 million phone numbers of its users have been found in a database without a password on the Internet. The document included only two data: the public number of Facebook's personal identifier, which is easy to link with the user's name, and the telephone number.
The Techcrunch technology website has published the finding thanks to information from Sanyam Jain, a researcher at the GDI Foundation. Jain was unable to find the owner of the database that was unprotected with a password and contacted Techcrunch to prevent the data from remaining available. When Techcrunch called the database host , it was removed.
According to the GDI Foundation, the largest group of phone numbers affected by this leak are 131 million Americans, followed by 50 million Vietnamese and 18 million Britons. TNeither GDI nor Facebook have been able to give details of how many Spanish or Latin American numbers were in this leak. "It is impossible to check all the data so our researchers choose a random selection and ask for high profile profiles, which helps us prioritize the severity of the filtration," says a GDI spokesperson.
Facebook has admitted that this data comes from its application: "This database is old and seems to have information obtained before the changes we made last year to withdraw the option for people to find others through their phone numbers. The database has been removed and we don't see any evidence that any Facebook account has been compromised. " The company also defends that many of those numbers in the database were duplicated.
When Facebook says "old" it means before April 2018. Facebook then allowed one user to find another only by using their phone number. "Malicious actors have abused these functions to scour [scrape] public profile information by entering phone numbers or emails they already had," Facebook said in a 2018 post announcing this change.
Facebook made it easy to link phone numbers with their owners. "Because of the scale and sophistication of the activity we have seen, we believe that the majority of people on Facebook may have had their public profile screened in this way," the network wrote in the post.
Facebook uses the technical term "scourge" used in computer circles to collect raw data available in public but not gathered in a database. It is not illegal, but the website that owns the data does not allow it to be easily accessible. From the company they say that today they continue making efforts to avoid the "scourge" of data. "The database has been removed and we don't see any evidence that any Facebook account has been compromised," says the company
Once again
The appearance of this database floating on the Internet is a new reminder of the "security oversights" of Facebook that have emerged from Cambridge Analytica, which did not let a massive leak of information linked to 80 million users. The little vigilance or dedication for the privacy of its Facebook users in recent years now comes to harm its users.
The seriousness of these leaks is not just that you "compromise a Facebook account," as the company says in its statement. The disclosure of personal information of users allows refined attacks such as duplicate sim card (or sim swapping ) or other social engineering. By duplicating sim, an attacker can gather a user's name, address and telephone number from different sources to convince a mobile operator to transfer the number from one sim to another, thus allowing control of one device from another.
A few days ago, Twitter founder Jack Dorsey was a victim of one of these tricks. The attackers managed to tweet racist and offensive messages via mobile from the @jack account.
COMMENTS