Hundreds of millions of phone numbers from Facebook users have been discovered in an unsecured database online, in the latest privacy lapse linked to the social media company, according to Gizmodo.
With a total of more than 400 million records, the database includes 18 million users from the UK, as well as 122 million from the US. It was not
On Wednesday, Facebook confirmed that the data had been exposed, but claimed only 210 million users had been affected, since the database included duplicates.
Last April, in the wake of the Cambridge Analytica privacy revelations, the company eliminated a feature that allowed a user to be found by searching their phone number. The feature was created to allow users to find their friends and family on the platform, but the company warned at the time that it had been abused, with “malicious actors” looking up millions of numbers to tie them to individuals.
“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” the company’s chief technology officer, Mike Schroepfer, wrote in a blog post when the feature was removed last year.
The company now believes that this tool was likely used to compile the database uncovered this week.
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” according to a response from a Facebook spokesperson.
The spokesperson declined to comment on whether Facebook would notify users that had been exposed, saying the company was still investigating the incident.
Zack Whittaker, the TechCrunch writer that first reported the leak, pointed out that anyone with a user’s phone number could potentially force-reset their Facebook account, access other private information, and even gain access to bank accounts. The phone number leak also exposes user to spam calls and other intrusions.
Malicious actors can even use phone numbers, paired with other personal data acquired online, to have a number transferred to a new phone by the carrier. Twitter CEO Jack Dorsey was subject to such an attack last week.
The UK Information Commissioner’s Office said it had referred the issue to Ireland’s IDPC, which leads