309 million Facebook users’ phone numbers found online

Over the weekend, researchers at cybersecurity intelligence firm Cyble came across a database with 267m Facebook user profiles being sold on the Dark Web.

Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it … for the grand total of £500.

That works out to USD $540 — or about 0.0002 cents — per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age.

Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data.

How did the data get leaked? In a blog post, Cyble said that it doesn’t know, but its researchers suspect that the records could have either come from a leak in Facebook’s developer API or from scraping: the automatic sucking up of publicly available data (like the kind people often publicly post on Facebook and other social networks).

It keeps popping up

The story doesn’t stop there, however. In fact, it doesn’t begin there, either. It turns out that this same database had been posted before; spotted by security researcher Bob Diachenko; taken down by the ISP hosting the page; reappeared, fattened up with another 42 million records in an Elasticsearch cluster on a second server; and then been destroyed by unknown actor(s) who replaced personal info with dummy data and swapped in database names labelled with this advice: “please_secure_your_servers”.

Exposed database after breach by unknown actors. IMAGE: Comparitech

Diachenko partnered with the tech comparison site Comparitech on this work last month. Comparitech said that the database was exposed for nearly two weeks, available online with no password protection, before it was taken down.

The timeline

This is what happened when, Comparitech says:

  • 4 December 2019: Database first indexed by search engines.
  • 12 December 2019: The data was posted as a download on a hacker forum.
  • 14 December 2019: Diachenko discovered the database and immediately sent an abuse report to the ISP managing the IP address of the server.
  • 19 December 2019: Access to the database was removed.
  • 2 March 2020: A second server containing identical records plus an additional 42 million was indexed by search engine BinaryEdge.
  • 4 March 2020: Diachenko discovered the second server and alerted the hosting provider.
  • 4 March 2020: The server was attacked and destroyed by unknown actors.

The initial breach exposed 267,140,436 records of what were mostly Facebook users in the US. Diachenko said that all of the records seemed to be valid. The same 267m records were exposed on the second server in March 2020, but this time, the exposure included an additional 42 million records, hosted on a US Elasticsearch server.

Comparitech said that 25 million of the new records contained similar information: Facebook IDs, phone numbers, and usernames. But 16.8 million of the new records had even more, including gender, email address, birth date and other personal data.

What data was exposed in exposure of fattened database. IMAGE: Comparitech

How did they get this data?

Both Cyble researchers and Diachenko aren’t sure how the breach happened, but both suggest that it could have been a hole in Facebook’s third-party developer API that existed before the platform restricted access to phone numbers. … or which lets crooks get at our user IDs and phone numbers even after Facebook restricted that access in the API.

Both Cyble and Diachenko say that alternatively, the records might have been harvested by scraping, which is a good reason why you might want to rethink how much data you’re publicly sharing on Facebook. In other words …

Stop exposing yourself!

The less PII you spread around, the less ammunition you give scammers to lure you into clicking on something dangerous in email or SMS text, or into telling them more than you should on the phone. The more scammers know about you, the more convincing they sound. All too often, the thinking of a would-be victim goes like this: “Hey, they know my birthdate and/or phone number and/or home address and/or fill in the blank. They must be legit!”

Be careful of unsolicited emails and texts — they might be phishing attempts. Here’s how to limit how much these con artists can glean about you from Facebook:

  1. In Facebook, go to Settings & privacy.
  2. Select See more privacy settings
  3. Set all relevant fields to either Friends or Only me.
  4. Set “Do you want search engines outside of Facebook to link to your profile?” to No.

There were no passwords involved in this breach, but it’s still a good opportunity to ensure you have a strong password on Facebook, and that you’re not reusing it (or any other passwords) on any other site.

This breach has already given attackers one piece of the authentication puzzle they need to hijack your accounts: namely, it exposed Facebook users’ email addresses. Once they know the email you use on Facebook, they can use it to search through lists of breaches that have included passwords. Then, they’ll plug login name/password combinations into other sites to see where else you’ve (re)-used those credentials. … All of which adds up to it being a truly bad idea to use a password twice.

Finally, if you’re not already securing your Facebook account with two-factor authentication (2FA), now is a good time to turn that on. It will keep your account from being hijacked if your credentials do get hacked, via this or other breaches. Even if attackers get your username and password, 2FA can prevent them from taking over your accounts. In Facebook, you can turn on 2FA by going to Settings > Security and login.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.