Millions of Facebook user phone numbers exposed online, security researchers say

More than 267 million Facebook user IDs, phone numbers and names were in an unsecured database.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Queenie Wong
3 min read

Some of your Facebook info inadvertently got exposed for anyone to see.

Graphic by Pixabay/Illustration by CNET

More than 267 million Facebook user phone numbers, names and user IDs were exposed in a database that anyone could access online, adding to a long list of privacy and security mishaps that continue to plague the world's largest social network.

Security researcher Bob Diachenko discovered the trove of Facebook user data on Dec. 14. The database, which has been pulled down, wasn't protected by a password or any other safeguard. Access to the database was removed, but by then the information had been out in the open for nearly two weeks. Someone had also made the data available for download on a hacker forum, according to Comparitech, a UK technology research firm that worked with Diachenko. 

Facebook's latest privacy mishaps raises questions about whether the company is doing enough to protect the data of its billions of users. It's also another reminder that users should be wary about what information they make public on the social network. This isn't the first time a security researcher has uncovered a database filled with Facebook user data. The revelation also comes after UK political consultancy Cambridge Analytica harvested the data of up to 87 million Facebook users without their consent. Facebook has faced other privacy woes such as storing hundreds of millions of passwords in plain text. 

Comparitech said the exposed Facebook data puts users at risk for spam and phishing campaigns. A Facebook user ID contains unique numbers that can be used to figure out a person's Facebook username and other profile information. 

Diachenko thinks that criminals in Vietnam obtained the user records through two possible ways. They could have exploited Facebook's application programming interface, or API, that lets developers access data such as their friends list, photos and groups. This might have happened before Facebook restricted access to user phone numbers in 2018 or afterward because of a possible security hole. Criminals could have also used automated technology to scrape the information from public Facebook profiles. 

In an email, Diachenko said that a welcome page and dashboard linked to the database included a Vietnamese invitation asking for a login and password. It appears that the database was set to public by mistake because "there are no good reasons to publicly expose this data," he said.

A Facebook spokesman said in a statement that the company is looking into the issue but thinks the data was likely harvested before it made changes to better safeguard user information such as restricting access to phone numbers.

To help protect your Facebook data from getting scraped, you can change your privacy settings so search engines outside of Facebook can't link to your profile. You can also deactivate or delete your Facebook account.

Unprotected public databases have been a problem for Facebook. In April, security researchers from UpGuard found more than 540 million Facebook user records, including comments and likes, in a public database on Amazon's cloud servers. In September, TechCrunch reported on a server that contained several databases filled with more than 419 million Facebook records from users in the US, UK and Vietnam. Facebook, though, said the server contained roughly 220 million records. The latest exposed database included similar Facebook user data but it's not the same, Diachenko said. 

In September, another security researcher found a similar database with Facebook user data. It's unclear if the same person or group is posting Facebook user information online.

Watch this: Facebook FTC settlement puts Zuck personally on the hook

Originally published Dec. 19, 7:50 a.m. PT
Update, 9:39 a.m. PT: Adds statement from Facebook.