Hundreds of millions of phone numbers tied to Facebook accounts appeared in databases online that anyone could find and access before the information was taken down.
A security researcher found more than 419 million records in several databases that were part of a server that wasn’t password protected, TechCrunch reported. About 133 million records were from US Facebook users and 18 million records were from UK users, according to the report.
A Facebook spokesperson said the company is still crunching the numbers but there were duplicates in those records. It estimates that about 200 million Facebook users were impacted.
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a Facebook spokesperson said in a statement. “The dataset has been taken down, and we have seen no evidence that Facebook accounts were compromised.”
The social network thinks that whoever scraped the data was able to do so because of a now defunct feature Facebook had that allowed people to look up users by phone number. In the wake of the Cambridge Analytica scandal in March 2018, Facebook shut down that search tool in April 2018.
Facebook doesn’t know at this time who was behind the databases or why they scraped that data. TechCrunch and security researcher Sanyam Jain, who found the exposed phone numbers, also weren’t able to identify who owned the databases. They were pulled down after they contacted the web host.
Privacy and security experts cautioned social media users about providing their phone numbers online. The exposure of these numbers could put users at risk for spam, harassment and SIM swapping, when someone convinces a cell phone carrier to switch your number to another SIM card.
“Think hard before giving your phone number to any social networking business – they are in the business of aggregating and monetizing consumer data,” Colin Bastable, CEO of security awareness training company Lucy Security, said in a statement. “And the phone number can be used to compromise your account.”
After Twitter CEO Jack Dorsey‘s account was hacked last week, Twitter said Wednesday it temporarily shut down the ability to tweet via text messages.