Facebook users' phone numbers exposed online

A server contained hundreds of millions of phone numbers tied to Facebook accounts.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Queenie Wong
2 min read

Facebook continues to face privacy and security scandals. 

Graphic by Pixabay/Illustration by CNET

Hundreds of millions of phone numbers tied to Facebook accounts appeared in databases online that anyone could find and access before the information was taken down.

A security researcher found more than 419 million records in several databases that were part of a server that wasn't password protected, TechCrunch reported. About 133 million records were from US Facebook users and 18 million records were from UK users, according to the report.

A Facebook spokesperson said the company is still crunching the numbers but there were duplicates in those records. It estimates that about 200 million Facebook users were impacted.

"This dataset is old and appears to have information obtained before we made changes last year to remove people's ability to find others using their phone numbers," a Facebook spokesperson said in a statement. "The dataset has been taken down, and we have seen no evidence that Facebook accounts were compromised."

The social network thinks that whoever scraped the data was able to do so because of a now defunct feature Facebook had that allowed people to look up users by phone number. In the wake of the Cambridge Analytica scandal in March 2018, Facebook shut down that search tool in April 2018.  

Facebook doesn't know at this time who was behind the databases or why they scraped that data. TechCrunch and security researcher Sanyam Jain, who found the exposed phone numbers, also weren't able to identify who owned the databases. They were pulled down after they contacted the web host. 

Privacy and security experts cautioned social media users about providing their phone numbers online. The exposure of these numbers could put users at risk for spam, harassment and SIM swapping, when someone convinces a cell phone carrier to switch your number to another SIM card. 

"Think hard before giving your phone number to any social networking business – they are in the business of aggregating and monetizing consumer data," Colin Bastable, CEO of security awareness training company Lucy Security, said in a statement. "And the phone number can be used to compromise your account."

After Twitter CEO Jack Dorsey's account was hacked last week, Twitter said Wednesday it temporarily shut down the ability to tweet via text messages.