Less than two months after it agreed to pay the Federal Trade Commission (FTC) $5 billion for failing to protect its user data, Facebook is facing another serious privacy issue.
On Wednesday, TechCrunch reported that it was contacted by security researcher Sanyam Jain regarding a massive cache of Facebook user data. Jain discovered an unsecured database containing 419 million Facebook user identification numbers and their associated phone numbers.
The website also notes that some entries contain some members’ locations, gender, and name.
Like Jain, TechCrunch couldn’t determine who established the sprawling database. However, the site learned that the index contained information on 133 American Facebook users, 50 million Vietnam-based users, and 18 million U.K. members.
Notably, the mysterious database, which featured no authentication protections, includes the phone numbers of several celebrities.
While the user information cache didn’t contain payment information, it did include enough data to expose millions of people to fraudsters. For instance, scam artists could use the database’s phone numbers and Facebook account details to pull off a phishing scheme. Similarly, criminals could take material from the index and use it to pull off a SIM-swapping attack.
In this type of cyberassault, malicious operators convince a wireless carrier to assign a victim’s number to a different handset. Then, they can use the subverted smartphone to seize control of any application associated with the victim’s phone number.
After verifying the veracity of the index’s information, TechCrunch contacted its web host and had it taken down.
The website also contacted Facebook about the mysterious database. The social media company had a surprisingly calm reaction to TechCrunch’s disclosure. Company spokesman Jay Nancarrow told the publication that the data featured on the index was old and was scrapped before the firm disabled phone number searches in April 2018.
Nancarrow also said that the organization found no evidence of any Facebook account being compromised as a result of the data leak. Facebook also disputed some of TechCrunch’s findings. The social network contends that the insecure server only contained 220 million user records.
The Illusion of Privacy Protection
Despite CEO Mark Zuckerberg’s repeated promises of reform, Facebook can’t seem to protect its users’ privacy. In addition to the Cambridge Analytica scandal, the firm disclosed that another data breach in October 2018 exposed 30 million users.
In March, the company admitted that it stored between 200 and 600 million users passwords in plaintext on its internal servers. Moreover, the service hosted the hidden database for seven years before discovering its existence in a security sweep.
Two months later, TechCrunch reported that a marketing company called Chtrbox scraped 49 million Instagram account records. Even worse, the firm stored the data it collected on an unsecured Amazon Web Server. Cybersecurity experts believe that the company exploited a vulnerability in the social network’s application programming interface.
Whether due to incompetence, disinterest, or a desire to exploit its wealth of user data, Facebook and its subsidiaries don’t secure user data as well as they could. As a result, millions of people have had their personally identifiable information repeatedly exposed or misused. Hopefully, a powerful government entity like the FTC or the European Commission will compel the corporation to change its policies.
For the 2.4 billion people that use Facebook every month, the illusion of privacy protection just isn’t enough.