Database of Facebook user phone numbers is offline
The unsecured server exposed phone numbers that could be matched with Facebook accounts.
- 2022 Eddie Award for a single article in consumer technology
- 2022 Eddie award for consumer analysis
An online database found on Sept. 5 links the name and purported phone number of Facebook Chief Executive Mark Zuckerberg, among others. When CNET called the number, it rang to voicemail, which hadn't been set up. CNET has redacted the number.
An unsecured cloud server containing a database of Facebook user phone numbers is no longer available online. The server had been found online a day after the world's largest social network said a similar database had been removed.
Elliott Murray, a cybersecurity researcher in the UK, found the database live on Sept. 5. He believes it contained the same data Facebook said was scraped from a now-defunct feature that allowed users to look each other up by phone number.
As of Monday evening, the database was no longer publicly accessible. It's unclear who posted the data and why.
Murray was able to match a known phone number of a Facebook user provided by CNET with the correct name in the publicly accessible database.
The discovery marked the latest example of how an unprotected database leaves consumers exposed. More organizations are moving their databases online, but many lack the expertise to do so securely. As a result, data that should be password-protected can be accessed by anyone with a browser and the correct IP address. Researchers now sleuth the internet for unsecured databases, which have revealed swaths of demographic details, sensitive health records and information on job hunters.
The exposed data could put users at risk of scam phone calls and other fraud, said Eva Velasquez, president and CEO of the Identity Theft Resource Center. A phone number combined with your name and any public information on your Facebook profile could help scammers convince you they're legitimate. Velasquez suggests making your social media profiles private whenever possible.
"Then the scammer is probably not even going to bother with you because they would go after the low hanging fruit," Velasquez said.
Instagram, which is owned by Facebook, has cracked down on scraping user data from its features as well. In May, it revoked the access of an Indian recruitment website called Chtrbox to its API after an exposed database indicated the company had scraped Instagram user data.
The exposed Facebook user phone numbers came to light on Sept. 4 in a TechCrunch report, which said researcher Sanyam Jain had discovered the data online. Facebook estimated that about 220 million users were affected by the exposed information.
Murray, who is CEO of cybersecurity company WebProtect, said he also encountered similar data. Checking for it again on Sept. 5, he saw the same types of data in an unsecured database. It is "almost certainly the same data" that was found in the database that was previously taken down, Murray said.
"Databases of this scale don't come often, and it's clear from the data contained that the two match," Murray said.
Facebook declined to comment for this story. The company told CNET in a statement on Sept. 4 that there's no indication individual users' accounts were breached.
CNET reached out to a phone number in the database linked to Facebook co-founder Chris Hughes. The person who replied via text said that she got the number earlier this year and ever since then she's received a lot of texts and calls for Hughes. She said her name was Ellen but declined to give her last name.
"I honestly wasn't aware this number was listed in a database until now and it must be listed elsewhere because you aren't the first reporter to contact me," she said.
CNET's Stephen Shankland contributed to this report.
Originally published Sept. 5, 4:18 p.m. PT
Update, 7 p.m. PT: Adds comment from person who has a phone number in the database.
Update, Sept. 6: Adds response from Facebook.
Update, Sept. 10: Adds news that the database is no longer online.