A security researcher has found a database with more than 419 million records containing phone numbers of Facebook users, TechCrunch reported on Thursday. The database, which is no longer online, was hosted on a server without a password.
Facebook spokesperson Jay Nancarrow said the data was old and “appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers”. Until last year, Facebook allowed anyone to search for accounts using phone numbers.
Both TechCrunch and Sanyam Jain, who found the database, were unable to find the owner of the server. The database was taken down after TechCrunch contacted the web host. Jain found phone numbers linked with several celebrities, the report said. Some records also had the user’s name, gender and country.
The exposed users included 133 million records related to United States-based Facebook users, 18 million from the United Kingdom, and more than 50 million from Vietnam. It is not clear which other nationalities exposed users belonged to.
Each record contained a user’s Facebook ID and the phone number linked with that account. The unique ID can be easily used to access the user’s account.
The records appeared to be genuine as TechCrunch said it was able to verify them for a number of users.
Nancarrow said the data set had been taken down and there was “no evidence that Facebook accounts were compromised”. Another spokesperson said an estimated 210 million users were affected as some of the records may have been duplicates, The Guardian reported.
Zack Whittaker, who reported the story for TechCrunch, said it was funny how Facebook said a lot of the exposed user phone numbers were duplicates. “A spokesperson told me [in] background that only 217 million are affected,” he said. “But that’s just one database...There’s a lot more data – and little evidence of duplication.”
“In other words, Facebook is under a lot of pressure to try to minimize the number of phone numbers that were exposed,” he said.
Facebook said it was investigating who compiled the database and when.