Skip to main content

Millions of Facebook user details leaked online

(Image credit: Image Credit: Katherine Welles / Shutterstock)

Cybersecurity researchers have found a database containing the personal information of millions of Facebook users (opens in new tab), just sitting on a server available for anyone who knew where to look.

Researchers from cybersecurity firm Comparitech, together with researcher Bob Diachenko, said they found an unsecured Elasticsearch database which contained names, phone numbers and IDs, of 267 million Facebook users.

The database itself, they believe, did not belong to Facebook (opens in new tab), but most likely to a hacking group either using it for phishing and spreading malware, or selling it. The database was available online for two weeks before the researchers found it, and ultimately managed to send it offline by reaching out to the internet service provider (ISP) that manages the server’s IP address.

The researchers believe the compromised phone numbers could be used for SMS phishing and warns everyone to be extra vigilant when getting SMS messages.

The database contains mostly American users, the researchers said, adding that they still don’t know how it was populated. Possible scenarios are that the information was stolen through Facebook's (opens in new tab) developer API, or that the API has a bug.

“‘Scraping’ is a term used to describe a process in which automated bots quickly sift through large numbers of web pages, copying data from each one into a database,” according to the report. “It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot. Scraping is against Facebook’s–and most other social networks’–terms of service.”

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.