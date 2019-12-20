Loading...

More than 267 million Facebook usernames and phone numbers have been uncovered in an internet database without password protection …

If that sounds familiar, it's because the same thing happened in September, when more than 400 million plates were exposed.

This time it seems at least that Facebook was not the culprit in this privacy violation, at least not directly, as Comparitech reports.

Comparitech collaborates with security researcher Bob Diachenko to discover the Elasticsearch cluster. Diachenko believes that the amount of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.

The information in the database can be used to conduct large-scale SMS spam and phishing campaigns, along with other threats to end users.

Diachenko immediately informed the internet provider who managed the server's IP address so that access could be removed. Diachenko says, however, that the data has also been placed on a hacker forum as a download.

The database of Facebook usernames was online from a minimum of 4 to 18 December.

The report says that the criminals may have had access to the data by exploiting a Facebook vulnerability, or it is possible by simply scraping data from those who have made their Facebook profile public.

How criminals obtained the user ID & # 39; s and telephone numbers is not entirely clear. One possibility is that the data was stolen from the developer API of Facebook before the company restricted access to phone numbers in 2018. Facebook & # 39; s API is used by app developers to add social context to their applications by accessing user profiles, friends list, groups, photos, and event data. Phone numbers were available to external developers before 2018.

Diachenko says the Facebook API may also have a vulnerability that could allow criminals to access user IDs and phone numbers even after access was restricted.

Another possibility is that the data was stolen without using the Facebook API, and was removed from publicly visible profile pages instead.

"Scraping" is a term used to describe a process in which automated bots quickly browse large numbers of web pages and copy data from each page to a database. It is difficult for Facebook and other social media sites to prevent scraping because they often cannot see the difference between a legitimate user and a bot. Scraping is against the terms of service of Facebook and most other social networks.

Many people have their visibility settings for Facebook profiles set to public, making them easy to scrape.

It is worth checking if your own profile is set to Friends Only: in the iOS app at the bottom right, tap the burger menu and then Settings> Privacy> Privacy Settings> Check some important settings.

Facebook seems to keep making headlines for the wrong reasons, most recently after admitting it has access to user locations, even when people have signed out.

Via Applied Sciences

