Security researcher Sanyam Jain was able to uncover an unprotected server that stored databases containing 419 million phone numbers belonging to Facebook users, or about five times more than what was exposed to Cambridge Analytica. Among the affected users there are 133 million people from the United States and 18 million from the UK. In total, this new data leak seems to affect five times more people than the Cambridge Analytica leak did (87 million people affected).
Jain also found that most phone numbers were linked to Facebook usernames, as well as with real names, genders, and country. When he contacted the server operator about it, the server was taken offline with no further explanation about how the data got there.
When asked about this by TechCrunch, Facebook issued the following statement:
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
However, even if that is true, one-year-old phone numbers are not that old at all, as the vast majority of people tend to keep their phone numbers for at least two years, the typical contract period, if not much longer than that. Some even keep them for a decade or longer, so Facebook dismissing this is a non-issue doesn’t seem to make much sense.
In May, Facebook’s Instagram service also suffered a data breach, and the data of 49 million users was leaked. At the time, Facebook once again downplayed the issue and said that it found no evidence that the data was used maliciously.
Facebook said that it made some changes last year for how third-parties can access its user data and that this has helped in preventing data leaks. However, it’s becoming clear that maybe the company hasn’t gone far enough with those restrictions, as it seems that user data still seems to leak to various third-parties.
When the Cambridge Analytica scandal broke out, many said at the time that it was unlikely that this company would be the only one that collected data the data of millions of people without consent. Every few months, there seems to be a new story confirming this, as the data of millions of people more is found to be exposed online, while Facebook plays the innocent party.