KEY POINTS

  • A report reveals that a trove of user information belonging to more than 267 million Facebook users is left exposed online
  • Researchers who discovered the database found that most of those affected in the leak are U.S.-based Facebook users
  • The researchers advise against making one's Facebook account publicly visible

Private information belonging to hundreds of millions of Facebook users have been leaked online via a database that's easily accessible to netizens with malicious intent.

A report from tech site Comparitech reveals that a database containing private information such as Facebook IDs and phone numbers belonging to more than 267 million Facebook users was left exposed to anyone on the internet. The database is easily accessed and doesn't require netizens to provide passwords or any other type of authentication.

Bob Diachenko, a security researcher that Comparitech partnered with to search the Elasticsearch cluster, found that the database could be traced to Vietnam, but added that he couldn't precisely identify the ways how the data had been collected.

He said he believes that the trove of information could've been the result of an illegal data scraping activity. It could've also been acquired by abusing the Facebook API.

Business Insider noted that the database creator/s could've used automated bots designed to collect information from Facebook accounts that were made publicly visible. Regardless of ways, Diachenko noted that evidence points to this being done by people in the Asian country.

The database included unique Facebook IDs, phone numbers, full names and timestamps belonging to or pointing to 267,140,436 Facebook users. Diachenko verified details and found that all of them seemed valid. Most of the Facebook users affected in the leak, the researcher said, were from the United States.

Diachenko discovered the database ten days after it was first indexed on Dec. 4, and two days after it was made available for hackers to download. Believing that it was done maliciously by a criminal organization, he sent an abuse report to the internet service provider hosting the server where the database was found.

The database was removed days later, on Dec. 19. The time between the time it was first indexed and shared to hackers, however, indicate the possibility that the information included in the database could've already been copied and shared elsewhere.

The report said a database of this size is likely used for phishing and spam, especially via text messages sent to phones. It warns Facebook users to be careful of suspicious text messages, and recommends adjusting Facebook privacy settings so that their accounts will never be found using search engines outside of Facebook.

A database of Facebook user information was made available for download on an online hacker forum
A database of Facebook user information was made available for download on an online hacker forum AFP / DENIS CHARLET