New Facebook User Data Leak Is Five Times Larger Than Cambridge Analytica Leak

Credit: Shutterstock Credit: Shutterstock

Security researcher Sanyam Jain was able to uncover an unprotected server that stored databases containing 419 million phone numbers belonging to Facebook users, or about five times more than what was exposed to Cambridge Analytica. Among the affected users there are 133 million people from the United States and 18 million from the UK. In total, this new data leak seems to affect five times more people than the Cambridge Analytica leak did (87 million people affected).

Jain also found that most phone numbers were linked to Facebook usernames, as well as with real names, genders, and country. When he contacted the server operator about it, the server was taken offline with no further explanation about how the data got there.

When asked about this by TechCrunch, Facebook issued the following statement:

“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”

However, even if that is true, one-year-old phone numbers are not that old at all, as the vast majority of people tend to keep their phone numbers for at least two years, the typical contract period, if not much longer than that. Some even keep them for a decade or longer, so Facebook dismissing this is a non-issue doesn’t seem to make much sense.

In May, Facebook’s Instagram service also suffered a data breach, and the data of 49 million users was leaked. At the time, Facebook once again downplayed the issue and said that it found no evidence that the data was used maliciously.

Facebook said that it made some changes last year for how third-parties can access its user data and that this has helped in preventing data leaks. However, it’s becoming clear that maybe the company hasn’t gone far enough with those restrictions, as it seems that user data still seems to leak to various third-parties.

When the Cambridge Analytica scandal broke out, many said at the time that it was unlikely that this company would be the only one that collected data the data of millions of people without consent. Every few months, there seems to be a new story confirming this, as the data of millions of people more is found to be exposed online, while Facebook plays the innocent party.

7 comments
    Your comment
  • Giroro
    Executive Order (E.O.) 13526 , Sec. l.7 (e) states "Compilations of items of information that are
    individually unclassified may be classified if the compiled information reveals an additional
    association or relationship that ( 1) meet s the standards for classification under this order; and (2) is
    not otherwise revealed in the individual items of information."

    How much personally identifiable information, often gathered without informed consent (they change policies all the time without notifying people), needs to be aggregated into one database until it becomes a risk to national security for it to leak?
    Do you think that America might have some enemies who could use the names, phone numbers, and profiles of a third of the United States to do some damage? What if the server had contained location history,browsing history, or shopping history gathered from every site with a share button (which is a tracker) embedded at the bottom of the page. What if that server had contained home addresses, job history, family connections, facial recognition data? How much is too much?
    China and Russia (and pretty much any major country) has literal armies of people who's entire job is to gather and weaponize this kind of data.

    At which point should the government step in and force companies to treat these increasingly common and indescribably immense compilations of valuable data to be treated as classified?
    There really needs to be some national discourse about this kind of thing.
  • USAFRet
    Quote:
    How much personally identifiable information, often gathered without informed consent (they change policies all the time without notifying people), needs to be aggregated into one database until it becomes a risk to national security for it to leak?

    Data aggregation is the entire business model of Facebook and similar.

    And the people give them extremely detailed personal info, by choice, on purpose.
    Your phone number, who your friends are, when and where you're going on vacation, what you've purchased recently, when you last went to the doctor and why...all given to them by the users.
  • DookieDraws
    Screw Facebook! Never joined, never will. And they probably still have / collect info on those of us who aren't members.