Facebook stares down yet another security flaw, this time with an incident involving an exposed server containing hundreds of millions of phone numbers previously associated with accounts on the platform.
The situation appears to be attached to a feature that is no longer enabled on the platform, but allows users to search for someone based on their phone number. Techackrunch's Zack Whittaker first reported on Wednesday that a server – which did not belong to Facebook, but was apparently not password protected and therefore available to anyone who could find it – was discovered online by security researcher Sanyam Jain and found to contain more than 419 million Facebook messages. users, including 133 records for users based in the United States
Have you seen this infamous knife-wrenching crow?
Canuck, the dirty collar hero who likes knives, fire and crime, has reportedly disappeared.
Read more Read
(A Facebook spokesman disputed the 419 million figure in a conversation with Gizmodo, claiming the server contained "nearly half" of that number, but declined to provide a specific figure.)  According to TechCrunch, records on the server included a Facebook user's phone number and individual Facebook ID. Using both, TechCrunch said it was able to cross check them to confirm records and additionally found that records in some cases include the user's country, name and gender. The report stated that it is unclear who scraped the data from Facebook or why. The spokesman on Facebook said the company became aware of the situation a few days ago, but would not specify an exact date.
Whittaker noted that having access to a user's phone number can allow a bad operator to force to reset accounts associated with that number and could expose them to intrusions such as spam calls or other abuse. But it can also allow a bad actor to retrieve a lot of private information about a person by entering it into any number of public databases or with any legwork or by giving a hacker access to apps or even a bank account.
"This dataset is old and appears to have obtained information before we made changes last year to remove people's ability to find others using their phone numbers," the spokesperson said in an email statement. "The dataset has been removed and we have not seen any evidence that Facebook accounts were compromised."
Facebook announced in a blog post by CTO Mike Schroepfer in April 2018 that there was acceptance of the ability for users to search for one another using phone numbers or email addresses after discovering that "malicious actors" abused the public scraping feature available information. Schroepfer wrote at the time that because of "the scale and sophistication of the activity we have seen, we think most people on Facebook could have had their public profile scrapped this way." Still, while the company initially revealed the likelihood of such an event last year , does not make the news of the week less troublesome.
Another day, another spectacular security fuckup of a company that has an opportunity for this kind of thing. The news comes on the heels of Senator Ron Wyden, who tells an interviewer that he thinks lawmakers should make sure Facebook CEO Mark Zuckerberg faces the "possibility of jail time" for the company's misuse of user data. Although it sounds like a beeping dream, the possibility of it becoming a reality becomes stronger with the day.