New Facebook User Data Leak Is Five Times Larger Than Cambridge Analytica Leak

By Lucian Armasu
published

(Image credit: Shutterstock)

Security researcher Sanyam Jain was able to uncover an unprotected server that stored databases containing 419 million phone numbers belonging to Facebook users, or about five times more than what was exposed to Cambridge Analytica. Among the affected users there are 133 million people from the United States and 18 million from the UK. In total, this new data leak seems to affect five times more people than the Cambridge Analytica leak did (87 million people affected).

Jain also found that most phone numbers were linked to Facebook usernames, as well as with real names, genders, and country. When he contacted the server operator about it, the server was taken offline with no further explanation about how the data got there.

When asked about this by TechCrunch, Facebook issued the following statement:

“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”

However, even if that is true, one-year-old phone numbers are not that old at all, as the vast majority of people tend to keep their phone numbers for at least two years, the typical contract period, if not much longer than that. Some even keep them for a decade or longer, so Facebook dismissing this is a non-issue doesn’t seem to make much sense.

In May, Facebook’s Instagram service also suffered a data breach, and the data of 49 million users was leaked. At the time, Facebook once again downplayed the issue and said that it found no evidence that the data was used maliciously.

Facebook said that it made some changes last year for how third-parties can access its user data and that this has helped in preventing data leaks. However, it’s becoming clear that maybe the company hasn’t gone far enough with those restrictions, as it seems that user data still seems to leak to various third-parties.

When the Cambridge Analytica scandal broke out, many said at the time that it was unlikely that this company would be the only one that collected data the data of millions of people without consent. Every few months, there seems to be a new story confirming this, as the data of millions of people more is found to be exposed online, while Facebook plays the innocent party.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
Topics
Security
7 Comments Comment from the forums
  • Giroro
    Executive Order (E.O.) 13526 , Sec. l.7 (e) states "Compilations of items of information that are
    individually unclassified may be classified if the compiled information reveals an additional
    association or relationship that ( 1) meet s the standards for classification under this order; and (2) is
    not otherwise revealed in the individual items of information."

    How much personally identifiable information, often gathered without informed consent (they change policies all the time without notifying people), needs to be aggregated into one database until it becomes a risk to national security for it to leak?
    Do you think that America might have some enemies who could use the names, phone numbers, and profiles of a third of the United States to do some damage? What if the server had contained location history,browsing history, or shopping history gathered from every site with a share button (which is a tracker) embedded at the bottom of the page. What if that server had contained home addresses, job history, family connections, facial recognition data? How much is too much?
    China and Russia (and pretty much any major country) has literal armies of people who's entire job is to gather and weaponize this kind of data.

    At which point should the government step in and force companies to treat these increasingly common and indescribably immense compilations of valuable data to be treated as classified?
    There really needs to be some national discourse about this kind of thing.
    Reply
  • USAFRet
    Giroro said:
    How much personally identifiable information, often gathered without informed consent (they change policies all the time without notifying people), needs to be aggregated into one database until it becomes a risk to national security for it to leak?
    Data aggregation is the entire business model of Facebook and similar.

    And the people give them extremely detailed personal info, by choice, on purpose.
    Your phone number, who your friends are, when and where you're going on vacation, what you've purchased recently, when you last went to the doctor and why...all given to them by the users.
    Reply
  • DookieDraws
    Screw Facebook! Never joined, never will. And they probably still have / collect info on those of us who aren't members.
    Reply
  • USAFRet
    DookieDraws said:
    Screw Facebook! Never joined, never will. And they probably still have / collect info on those of us who aren't members.
    "probably"?
    Absolutely.
    Reply
  • Giroro
    USAFRet said:
    Data aggregation is the entire business model of Facebook and similar.

    I realize that. That is the topic of discussion I am bringing up: at which point does the business model of aggregating this kind of data become an issue of national security, and what steps should be required to secure that data?
    A company might have a business model of designing and selling American fighter jets, but that doesn't mean that they are allowed to sell American technology to anybody in the world who wants it.

    The military standards for the strength of a bolt or how to turn a screwdriver probably aren't issues of national security, but if you keep adding on parts and layers of information and eventually you end up with the complete detailed design of an F-22. At what point does many small individual pieces of information that are fine when freely shared on an individual level start to become something more: the data-mining equivalent of "recognizably a part of an F-22"?


    USAFRet said:
    And the people give them extremely detailed personal info, by choice, on purpose.
    Your phone number, who your friends are, when and where you're going on vacation, what you've purchased recently, when you last went to the doctor and why...all given to them by the users.

    Just because information was generated or aggregated on purpose, does not have anything to do with whether or not that information needs to be protected.
    Fighter jets are designed on purpose by engineers who give those designs to their employer by choice. But it would be a crime to upload those classified designs for a fighter jet to the front page of their website.
    My point is there are legal limits to what information can be shared to who, I just wish some people in the government would realize that there is more to consider here than the surface issues of privacy and consent (which, clearly they don't care about since everybody forgot the NSA never actually got fixed).
    Reply
  • USAFRet
    If it is collected, or freely given...at some point it WILL be hacked/released/whatever.

    And for your 'fighter jet plans'..yes, it is absolutely a 'crime' to release those to the public.
    Yet it happens.

    Given a big enough target, be it F-22 plans or data on a billion users...enough resources will be devoted to discovering that.

    If it exists, it will be hacked. Or released by some insider, on purpose.
    Being illegal does not prevent.

    The only way to not have that data released is to not have it at all.
    Shut Facebook down, discover every single storage device they ever touched, and run them through a physical shredder.
    Reply
  • frogr
    admin said:
    Researcher finds an unprotected server with leaked Facebook user data affecting more than five times as many people as the Cambridge Analytica data leak did.

    New Facebook User Data Leak Is Five Times Larger Than Cambridge Analytica Leak : Read more
    "However, even if that is true, one-year-old phone numbers are not that old at all, as the vast majority of people tend to keep their phone numbers for at least two years, the typical contract period, if not much longer than that."
    yes, much, much longer. Most people keep their phone numbers from contract to contract and when switching to a new provider. If I needed stolen phone numbers, at least half of the five year old numbers would still be good.
    Reply