Facebook Users at Risk of SIM-Swapping Attacks After Their Phone Numbers Are Leaked Online

Facebook Users Phone Numbers Exposed

When the Cambridge Analytica scandal broke out in March 2018, people thought it was a big one. The UK-based company had collected the information of quite a few Facebook users through a personality quiz app and had used it for political purposes. People were so outraged that over the next few months, Facebook wiped out more than $100 billion of its market capitalization thanks to a major stock crash.

Yesterday, we learned of another incident which involves the data of many Facebook users, and a few things suggest that it's even bigger than the Cambridge Analytica scandal.

Hundreds of millions of Facebook users have their data exposed

The data leak was first discovered by security researcher and member of the GDI Foundation Sanyam Jain. He found a server that was connected to the internet and was not protected by a password. Inside it, there were several databases containing a total of 419 million records, with each one representing an individual account. 133 million of the affected accounts belong to people who are based in the US. The number of affected UK residents sits at 18 million, and around 50 million of the accounts are owned by people who live in Vietnam. After discovering the exposed databases, Sanyam Jain contacted TechCrunch's Zack Whittaker who got in touch with the hosting company operating the server and asked them to pull it down. Yesterday, after ensuring that the data is offline, Whittaker published broke the news.

To put things into perspective, after Facebook investigated the Cambridge Analytica incident, it calculated that the total number of affected individuals sits at just under 90 million. In other words, in terms of scale, we're talking about a much bigger leak. But what about the impact?

What was the nature of the leaked information?

The most important thing we need to know is that, as a Facebook spokesperson told TechCrunch, no social media accounts have been compromised due to the leaked data. The databases contained no passwords or any other particularly sensitive information.

The exposed details include names, Facebook IDs, gender information, and locations by country, and they were most likely scraped by automated tools. There were also phone numbers which goes to show that although the data was put on the server last month, it was most likely collected prior to April 2018 when Facebook implemented changes meant to better protect people's contact details. The exposed data is proof that these changes came too late.

What should affected users be on the lookout for?

There is one major difference between the Cambridge Analytica scandal and the current leak – there is no known culprit. Sanyam Jain and Zack Whittaker tried and failed to find the owner of the misconfigured server. They also tried looking at the databases themselves, but unfortunately, there was nothing to point them in a particular direction.

In other words, nobody knows who collected the data and why they needed it. The fact that it was recently put on an internet-connected server does suggest, however, that someone had the intention of using it in the near future.

As we mentioned already, most of the details are in the public domain and can't realistically cause too much trouble. The availability of phone numbers does raise the risk of SIM swapping attacks, however, especially for the "several celebrities" which, according to Sanyam Jain, have also been affected by the leak. If you don't know how impactful a SIM swapping attack can be, you can ask Twitter CEO Jack Dorsey who fell victim to one just last week. The threat of spam calls should not be taken lightly, either.

All in all, although we have not seen any evidence of the data being misused, the leak itself still isn't good news for the millions of people that were affected. Unfortunately, Facebook users have been through so many similar incidents, that they are probably used to it by now.

September 5, 2019