A huge cache of Facebook users' phone numbers and user IDs was for sale online, a researcher has found. The list of contact details for hundreds of millions of people -- easily tied to their names on Facebook -- was posted on a forum for trading stolen data.
The price for buying Facebook user data in bulk: $1,000.
Elliott Murray, CEO of UK-based cybersecurity company WebProtect, found the information for sale on the web forum in May. He believes it's the same list that TechCrunch reported Wednesday was found on an unsecured web server by cybersecurity researcher Sanyam Jain. The list, which Facebook said Wednesday contained old data scraped from a feature it's since disabled, was posted to the web forum by a seller who said he was based in Vietnam and had put the data together for marketing purposes.
Murray's find indicates that the scraped data was making its way around the web in addition to ending up on an unsecured server, and was in the hands of at least one person who saw it as a marketing tool -- and a chance to make some quick cash. Facebook acknowledged in April 2018 that a feature meant to let users look each other up by phone number had been abused to scrape numbers. The numbers were also public on the users' profiles at the time they were scraped, Facebook said.
A Facebook spokeswoman reiterated that the data is old and was scraped from the social media giant's systems before it disabled the phone number look-up feature. She said Facebook thinks the number of affected users is about 220 million.
Regarding the discovery that the data was for sale, the spokeswoman said in a statement that web scraping is "an industrywide challenge," adding, "in this case, as we announced in April 2018, people's publicly available phone numbers were scraped in violation of our policies. That is why we removed the ability to find friends using their phone number, because we learned that malicious actors abused this feature."
The revelation that the data was posted for sale and uploaded to an unsecured server is an example of the long afterlife stolen data can have, and how companies can do little to lock down user data once it's escaped their control. Even after the unsecured data was taken down, a researcheron another unsecured server. It's also very challenging to stop bad actors from scraping user data to begin with when it's posted publicly on profiles.
What's more, the cache represents a potentially powerful tool for fraudsters in an era of intensifying robocalls and phone scams. The data could let companies, legitimate or otherwise, call you up and ask for you by name. Combined with public information on your Facebook profile, it could be a jumping off point for a scam. Depending on your settings, public profiles might reveal your location, where you shop and even your mother's maiden name, all valuable information for scammers.
You can protect yourself by changing the privacy settings on your social media accounts to private, said Eva Velasquez, president and CEO of the Identity Theft Resource Center.
WebProtect took steps to verify the accuracy of the seller's data but didn't purchase the data, said Murray. The company focuses on finding hacked and stolen information in dark corners of the internet, using both automated tools and human investigation to track it down. CNET has seen screenshots of the seller's exchanges with WebProtect but wasn't able to verify the authenticity of the information in the stolen cache.
Months after discovering the data for sale on the web forum, WebProtect researchers saw that a similar set of data was uploaded to a server with no password protection, Murray said. That meant anyone with a web browser and the right IP address could see the data. Murray said he compared what he knew about the two sets of data and determined they were the same cache. He also believes this is the same unprotected database found separately by Jain and reported on by TechCrunch.
Murray alerted Facebook through the company's bug bounty program about the attempt to sell the data.
Though the data may be old, Murray noted that people often keep their phone numbers for long periods of time -- and are less likely to change them than a stolen password.
"It's out there now," Murray said of the phone numbers. "It's something that's going to stick."
Here's Facebook's statement in full:
"Web scraping is an industrywide challenge and it continues to be difficult to prevent and often hard to detect once it's happened. In this case, as we announced in April 2018, people's publicly available phone numbers were scraped in violation of our policies. That is why we removed the ability to find friends using their phone number, because we learned that malicious actors abused this feature. As we said at the time, 'given the scale and sophistication of the activity we had seen, we believed that most people on Facebook could have had their public profile scraped in this way.' Since then, we've also been making changes to our platforms to reduce the risk of scraping."