X

Database of Facebook user phone numbers is offline

The unsecured server exposed phone numbers that could be matched with Facebook accounts.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Laura Hautala
Queenie Wong
3 min read
An online database links the name and phone number of Facebook Chief Executive Mark Zuckerberg.

An online database found on Sept. 5 links the name and purported phone number of Facebook Chief Executive Mark Zuckerberg, among others. When CNET called the number, it rang to voicemail, which hadn't been set up. CNET has redacted the number.

Screenshot by Stephen Shankland/CNET

An unsecured cloud server containing a database of Facebook user phone numbers is no longer available online. The server had been found online a day after the world's largest social network said a similar database had been removed

Elliott Murray, a cybersecurity researcher in the UK, found the database live on Sept. 5. He believes it contained the same data Facebook said was scraped from a now-defunct feature that allowed users to look each other up by phone number.

As of Monday evening, the database was no longer publicly accessible. It's unclear who posted the data and why.

Murray was able to match a known phone number of a Facebook user provided by CNET with the correct name in the publicly accessible database. 

The discovery marked the latest example of how an unprotected database leaves consumers exposed. More organizations are moving their databases online, but many lack the expertise to do so securely. As a result, data that should be password-protected can be accessed by anyone with a browser and the correct IP address. Researchers now sleuth the internet for unsecured databases, which have revealed swaths of demographic detailssensitive health records and information on job hunters.

The exposed data could put users at risk of scam phone calls and other fraud, said Eva Velasquez, president and CEO of the Identity Theft Resource Center. A phone number combined with your name and any public information on your Facebook profile could help scammers convince you they're legitimate. Velasquez suggests making your social media profiles private whenever possible.

"Then the scammer is probably not even going to bother with you because they would go after the low hanging fruit," Velasquez said.

Instagram, which is owned by Facebook, has cracked down on scraping user data from its features as well. In May, it revoked the access of an Indian recruitment website called Chtrbox to its API after an exposed database indicated the company had scraped Instagram user data.

The exposed Facebook user phone numbers came to light on Sept. 4 in a TechCrunch report, which said researcher Sanyam Jain had discovered the data online. Facebook estimated that about 220 million users were affected by the exposed information.

Murray, who is CEO of cybersecurity company WebProtect, said he also encountered similar data. Checking for it again on Sept. 5, he saw the same types of data in an unsecured database. It is "almost certainly the same data" that was found in the database that was previously taken down, Murray said.

"Databases of this scale don't come often, and it's clear from the data contained that the two match," Murray said.

Facebook declined to comment for this story. The company told CNET in a statement on Sept. 4 that there's no indication individual users' accounts were breached.

CNET reached out to a phone number in the database linked to Facebook co-founder Chris Hughes. The person who replied via text said that she got the number earlier this year and ever since then she's received a lot of texts and calls for Hughes. She said her name was Ellen but declined to give her last name.

"I honestly wasn't aware this number was listed in a database until now and it must be listed elsewhere because you aren't the first reporter to contact me," she said.

CNET's Stephen Shankland contributed to this report. 

Originally published Sept. 5, 4:18 p.m. PT
Update, 7 p.m. PT: Adds comment from person who has a phone number in the database. 
Update, Sept. 6: Adds response from Facebook. 
Update, Sept. 10: Adds news that the database is no longer online.