A server with records of hundreds of millions of Facebook user accounts has been found unprotected online, according to TechCrunch.
The server contained a total of 419 million user records. About 133 million of those were for U.S. users, 18 million were users in the UK, and 50 million were records of users in Vietnam.
The server itself was not protected with a password, meaning anyone online could access the records.
Those records included each Facebook user’s unique ID (which can be used to discover an account’s username), along with the phone number associated with the account. Some records also contained usernames, genders, and a user’s country.
In a statement to TechCrunch, Facebook said that the dataset in the server was “old.” More specifically, the company clarified that the information was somehow obtained before Facebook made changes to remove public access to phone numbers associated with user accounts.
“The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised,” the spokesperson said.
TechCrunch reporters were able to verify the accuracy of the server’s data by comparing records to known Facebook users. They were also able to verify other records by using Facebook’s password reset tool, which shows a partial phone number.
Interestingly, it’s not clear who owns the server or from where it originated. When TechCrunch contacted the web hosting company, the server was pulled. It’s also unclear how, why or when the data was scraped from Facebook.
The unprotected server was first discovered by security researcher Sanyam Jain, who found that he was able to find the phone numbers of several celebrities.
While Facebook says there isn’t any indication that user accounts were compromised, the existence of the dataset could prove to be a security risk for users involved.
SIM-hacking, for example, is becoming an increasingly common attack. Using SIM-hacking techniques, a bad actor can call a carrier and request a transfer for a specific phone number. That could give an attacker access to password reset capabilities and a way to bypass a user’s two-factor authentication.
Getting your phone number leaked online could also expose you to more spam or robocalls, which are a worsening problem themselves.