More than 267 million user names and phone numbers of users on Facebook were exposed in a database im clear available online.
If this news sounds familiar, its because the same thing happened in September, when they were exposed to more than 400 million data on Facebook. This time, however, it seems that the company does not have faults, or at least not directly.
Comparitech has teamed up with security researcher Bob Diachenko to discover the functions of the cluster, Elasticsearch. According to the tests, Diachenko believes that the collection of data is very probably the result of an operation of scraping is illegal or abuse of the API of Facebook by criminals in Vietnam. The information contained in the database could be used to conduct spam campaigns and phishing on a large scale through SMS.
Diachenko has immediately informed the Internet service provider that managed the IP address of the server, so that access could be blocked. However, the researcher says that the data has already been published on hacker forums from 4 to 18 December.
The way in which the criminals have obtained the user ID and the telephone numbers is not completely clear. One possibility is that the data have been stolen by the API for developers of Facebook before the company is limiting the access in 2018. The API of Facebook is used by app developers to add a “social” context to their applications by accessing the users ‘ profiles, list of friends, groups, photos, and event data. Telephone numbers were available for third-party developers before 2018.
Diachenko says that the API of Facebook may also have a security flaw that would allow criminals to access to the user IDS and telephone numbers, even after access has been limited. Another possibility is that the data have been stolen without use the API of Facebook, but simply extracting them from pages and public profile.
Regardless of the reason, once again, Facebook proves to be a platform, certainly not safe.