Unsecured database leaks phone numbers of 419 million Facebook users

The unsecured database contained 133 million records from the US, 18 million in the UK and 50 million in Vietnam – All from Facebook users.
Unsecured database leaked phone numbers of 419 million Facebook users

Another day, another privacy disaster hits Facebook users.

To add insult to the already enraged privacy advocates, Facebook has yet again disappointed its user base. It has been revealed that 419 million phone numbers belonging to Facebook users have been exposed due to a breach in an online unsecured database.

The database contained 133 million records from the US, 18 million in the UK and 50 million in Vietnam. However, a Facebook spokeswoman has added that in actuality the data of 210 million users was revealed since the unsecured database contained duplication.

About more than a year ago, if you entered a phone number into Facebook’s search bar, it would reveal the account connected to that number. Although Facebook has abandoned this practice, it is believed that the phone numbers were scraped before it did so.

See: Facebook: Storing Instagram passwords in plain text & harvesting your emails

Unsecured database leaked phone numbers of 419 million Facebook users
Screenshot of the leaked database

However, according to GDI Foundation’s security researcher Victor Gevers tweeted that “Although Facebook had disabled the API that shares users mobile phone & address details back in 2011, this data leak with scraped Facebook details was deployed recently in August 2019 on the latest version (4.0.12) of MongoDB. There is also a mail server running on that server.”


Nevertheless, the breach is still alarming for a number of reasons. Firstly, phone numbers are a goldmine for hackers who would definitely enjoy sending loads of marketing messages and calls to these users.

Secondly, they could be used to aid in sim swapping for users who have been using their phone numbers as a part of two-factor authentication. How serious can this be? Well, last week, Jack Dorsey’s Twitter account was compromised just due to such a technique despite him being the CEO so this leaves a layman much more vulnerable.

See: How to hack a Facebook account simply knowing account phone number

Moreover, the phone numbers were linked to Facebook accounts identifiable by a unique public ID assigned by the platform and that could be used to discern someone’s username. 

“TechCrunch verified a number of records in theunsecured database by matching a known Facebook user’s phone number against their listed Facebook ID. We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account,” reported the site.

For now, the unsecured database has been taken down with Facebook investigating in the meanwhile. We do not know if the affected users would be compensated in any way or even be informed. This leaves us with a simple yet profound lesson of not relying on companies no matter how big they may seem, there will always be human errors after all.

Last but not least, if you are sick of Facebook; here is a guide on how to delete your Facebook account permanently.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts