Cybersecurity researchers have found a database containing the personal information of millions of Facebook users, just sitting on a server available for anyone who knew where to look.
Researchers from cybersecurity firm Comparitech, together with researcher Bob Diachenko, said they found an unsecured Elasticsearch database which contained names, phone numbers and IDs, of 267 million Facebook users.
The database itself, they believe, did not belong to Facebook, but most likely to a hacking group either using it for phishing and spreading malware, or selling it. The database was available online for two weeks before the researchers found it, and ultimately managed to send it offline by reaching out to the internet service provider (ISP) that manages the server’s IP address.
The researchers believe the compromised phone numbers could be used for SMS phishing and warns everyone to be extra vigilant when getting SMS messages.
The database contains mostly American users, the researchers said, adding that they still don’t know how it was populated. Possible scenarios are that the information was stolen through Facebook’s developer API, or that the API has a bug.
“‘Scraping’ is a term used to describe a process in which automated bots quickly sift through large numbers of web pages, copying data from each one into a database,” according to the report. “It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot. Scraping is against Facebook’s–and most other social networks’–terms of service.”