Over 260 million Facebook users had their names, Facebook IDs and phone numbers exposed without any type of protection. They were left on a website in a way that was accessible for all, not even hidden behind a password.
Security researcher Bob Diachenko partnered with Comparitech to in order to find out what exactly was the issue with the Elasticsearch cluster.
How did the leak happen?
The security researcher believes the cluster of personal Facebook data is most likely the result of an illegal scraping operation or maybe even a Facebook API abuse by cyber criminals. At least, that was what the initial evidence leads to show.
Having this type of data at your disposal and at such a large scale is upsetting. It would allow you to perform global-scale phishing and SMS scams.
Fortunately enough, the security specialist together with the server’s Internet service provider managed to limit access to the data as soon as possible.
The bad news is that all the data was posted on a hacker forum and it was available for download to anyone that visited the website.
How long did the exposure last?
Unfortunately, 267 million users IDs and phone numbers were exposed for a grand total of two weeks. It seems that the database was first indexed on December 4th. The data was then posted as a download on a hacker forum on December 12th.
It would only be until December 14 that Diachenko would discover the information leak and immediately sent an abuse report to the ISP managing server. The problem is that it was only until December 19 that they prohibited access to the data.
Do you think that Facebook should improve their security measures? Let us know in the comment section below.