Facebook is staring down yet another security blunder, this time with an incident involving an exposed server containing hundreds of millions of phone numbers that were previously associated with accounts on its platform.
The situation appears to be pinned to a feature no longer enabled on the platform but allowed users to search for someone based on their phone number. TechCrunch’s Zack Whittaker first reported Wednesday that a server—which did not belong to Facebook but was evidently not password protected and therefore accessible to anyone who could find it—was discovered online by security researcher Sanyam Jain and found to contain records on more than 419 million Facebook users, including 133 records on users based in the U.S.
(A Facebook spokesperson disputed the 419 million figure in a call with Gizmodo, claiming the server contained “closer to half” of that number, but declined to provide a specific figure.)
According to TechCrunch, records contained on the server included a Facebook user’s phone number and individual Facebook ID. Using both, TechCrunch said it was able to cross-check them to verify records and additionally found that in some cases, records included a user’s country, name, and gender. The report stated that it’s unclear who scraped the data from Facebook or why. The Facebook spokesperson said that the company became aware of the situation a few days ago but would not specify an exact date.
Whittaker noted that having access to a user’s phone number could allow a bad actor to force-reset accounts linked to that number, and could further expose them to intrusions like spam calls or other abuse. But it could also allow a bad actor to pull up a host of private information on a person by inputting it into any number of public databases or with some legwork or by impersonation grant a hacker access to apps or even a bank account.