New data leak reveals phone numbers of 419 million Facebook users

Facebook has been involved in a new security and data breach wherein 419 million users’ phone numbers have been leaked and discovered online.

Sanyam Jain, a security researcher, first reported the hack and noted that he found the information on an unsecured server that did not need a password to gain access.

He estimated that 18 million UK accounts were compromised, whilst 133 million users were American. In addition to this, 50 million leaked accounts belonged to those in Vietnam.

Chief technology officer of software firm Censornet, Richard Walters, said: “With 419 million phone numbers exposed, the volume of this data leak is huge.

“These details provide cybercriminals with a head start for carrying out fraudulent activity and identity theft [...] It is unacceptable for companies to suffer data leaks in this way. Once again, Facebook has let its users down.”

Not only were phone numbers revealed as part of the leak, but some records also showed names, gender, locations, and other details that could be taken from Facebook profiles.

Experts have warned that as a result, some of the victims of stolen data could be on the receiving end of SIM-swap attacks. Through this process, cybercriminals will be able to divert two-factor authentication processes by intercepting passwords.

Dmitry Kurbatov, the chief technology officer of Positive Technologies, said: “In terms of the damage that could be done – the more a hacker knows about you the more powerful they are.

“For instance, if he has information like name, surname, phone number, birth date, ID number – this would probably be enough to impersonate you to your mobile carrier. Then he can ask to set up call and SMS forwarding or to swap the SIM. Essentially from there, the number is hijacked.”

A spokesperson for Facebook, however, responded by saying that the numbers had now been taken down and that none of the accounts had been compromised in the meantime with regards to such scamming attacks.

The spokesperson said: “This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers.”