A database of 267 million Facebook user IDs, phone numbers, and names was left exposed online for a fortnight thanks to another cloud misconfiguration, according to researchers.
The trove was likely to have been the result of an illegal scraping operation carried out by cyber-criminals, according to consultant Bob Diachenko and researchers at Comparitech.
One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018, explained Comparitech’s Paul Bischoff.
Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted. Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.
The researchers warned that such a large database of sensitive information could be used in major spam, phishing and smishing campaigns.
The database itself was first indexed on December 4, with the data posted on a hacker forum eight days later. Diachenko discovered it on December 14 and notified the ISP managing the IP address, and five days later it was made unavailable.
The original leak came about because of a misconfigured Elasticsearch cluster.
This is just the latest in a long line of data leaks stemming from unsecured cloud databases. In November personal data on over one billion individuals harvested by data enrichment companies was found exposed.
Then in December, over one billion email-password “combos” were found in a similar way by Diachenko.They’re thought to have been stolen or bought by hackers.