A server found without a password had some 400 million database records of Facebook users in the United States, Vietnam, and the United Kingdom, it was reported.
Security researcher Sanyam Jain discovered the database, finding each had a unique Facebook ID and phone number for the account. There were 133 million records from U.S. users, 18 million U.K. users, and 50 million Vietnamese users.
The server wasn’t password-protected, meaning that anyone could have accessed them. The server was later taken offline, he said, according to TechCrunch.
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised,” Facebook spokesman Jay Nancarrow told Fox Business.
He added that the phone numbers were made private more than a year ago.
“The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised,” the spokesperson added.
The TechCrunch report noted that researchers are not sure who created the database, and they are also not sure when it was created.
“Online businesses often ask for the number ‘in case you need to recover access to your account,’” Colin Bastable, CEO of security awareness training company Lucy Security, told Threatpost.
He said that people should “think hard” before handing over their phone numbers to social media firms.
“The main risk of the phone number exposure incident is the potential of spam calls, which are a huge nuisance today,” said Jonathan Deveaux, head of enterprise data protection at security firm Comforte AG, according to the report. “The bigger fear is what other unprotected sensitive data exists, which may be subject to the same decisions, but possibly posing a larger risk to end-users.”
In July, Facebook was fined by the U.S. Federal Trade Commission (FTC) to the tune of $5 billion due to privacy violations.
As part of the agency’s settlement with Facebook, CEO Mark Zuckerberg will have to personally certify his company’s compliance with its privacy programs. The FTC said that false certifications could expose him to civil or criminal penalties.
Some experts had thought the FTC might fine Zuckerberg directly or seriously limit his authority over the company. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” Joe Simons, the chairman of the FTC, said in a statement. He added that the new restrictions are designed “to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.” Facebook does not admit any wrongdoing as part of the settlement.
The Associated Press contributed to this report.