Facebook data breach leaves personal details of more than 267 million people at the mercy of hackers

In what sounds like a bad case of deja vu, a database containing personal details of more than 267 million Facebook users has been found online.

Security researcher Bob Diachenko, working with Comparitech, discovered what they’re calling the “Elasticsearch cluster” on a server that’s believed to have links to Vietnam. The data was also found posted on a hacker forum as a downloadable file.

In total 267,140,436 records containing unique Facebook IDs, phone numbers, the users’ full names and timestamp were exposed, accessed via a landing page that didn’t require a password. The majority of users affected are based in the US.

 While names can, of course, be used to find lists of users with those names, it is the leaking of Facebook IDs alongside these names that would help hackers identify exact accounts. And once these accounts were found, their profile and any publicly posted info would be at the mercy of hackers.

This could be used for identity fraud, or to conduct large-scale SMS spam and phishing campaigns.

In a blog post detailing the find, Diachenko said the “trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam” and the database was first indexed on 4 December.

A little over a week later, on 12 December, the data was posted to a hacker forum. Diachenko sent an abuse report to the ISP managing the IP address of the server on 14 December and it has been offline since yesterday (19 December), hence today’s announcement. 

It is believed the data was stolen from Facebook’s developer API before Facebook made changes to protect users last year. Facebook’s API is used by developers of third-party sites to add Facebook intergration to their websites.

This includes accessing users’ profiles, friends list, groups, photos, and event data and, prior to 2018, phone numbers were also open to these developers. Following previous breaches and criticism, Facebook restricted access to phone numbers as part of its API changes last year. 

Facebook’s response to this latest incident similarly suggests this is the case. A spokesperson said: “We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information.”

However, Diachenko added that there is a chance Facebook’s API could have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted.

Or the data was scraped from public profile pages, which is against Facebook’s terms of service but is ultimately out of their direct control. Such breaches are good opportunities to make sure your Facebook privacy settings are as you want them to be.

Go to Facebook | Settings | Privacy and check the relevant fields are set to Friends of Only Me if you want to restrict access. You can also hide your profile from search engines.