An unsecured database exposes more than 267 million Facebook User IDs, phone numbers, full name, and timestamp. The database exposed to the web without any authentication, by having the web URL anyone can access the database.
Security researcher Bob Diachenko partnered with Comparitech uncovered the Elasticsearch database, the database found to be open for nearly two weeks.
Diachenko believes that the data was scrapped illegally by abusing the Facebook API by Cybercriminals in Vietnam and they can be used to conduct mass spam and phishing campaigns.
Data Posted on Hacker Forum
The database found to be indexed on December 4th, the bad news is that Facebook user’s data are posted in the hacker forum on December 12th. The detailed posted on hacker forums could reach several cybercriminals, by having the data they can launch sophisticated attacks.
Diachenko uncovered the data on December 14th, and it was reported to the ISP, finally, the database was taken down on December 19th.
What are the Details Exposed
According to Diachenko, Facebook’s API could have a security hole that allows the cybercriminals to scrap the details, the exposed details include;
- A unique Facebook ID
- A phone number
- A full name
- A timestamp
“In total 267,140,436 Facebook users records were exposed. Most of the affected users were from the United States. The server included a landing page with a login dashboard and welcome note,” Diachenko says.
Facebook restricted the data in 2018, before that details such as check-ins, likes, photos, posts, videos, events, and groups, possibly the data scrapped before that.