Sanyam Jain, a security researcher and member of the GDI Foundation, found the database with more than 419 million records over several databases, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.
The server wasn’t protected with a password, and Jain contacted TechCrunch after he was unable to find the server’s owner.
Each record contained a user’s unique Facebook identification, as well as the phone number on the account. Jain revealed he found a number of accounts belonging to celebrities, and TechCrunch was able to verify a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID. Some of the records also had the user’s name, gender and location by country.
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” Facebook spokesperson Jay Nancarrow said. “The data set has been taken down, and we have seen no evidence that Facebook accounts were compromised.”
This is just the latest security issue for the social media giant, which most notably saw its reputation tarnished by the Cambridge Analytica scandal, which saw more than 80 million profiles scraped to help President Donald Trump get elected in 2016. Since then, the company has also been hit with additional scraping incidents, including one that impacted Instagram.
In April, the company also admitted it might have “unintentionally uploaded” the email contacts of 1.5 million new users since May 2016. Facebook said it stopped offering email password verification as an option for first-time signups in March. However, there were cases of people’s email contacts being uploaded to Facebook when accounts were created.
“We estimate that up to 1.5 million people’s email contacts may have been uploaded,” Facebook said at the time. “These contacts were not shared with anyone and we are deleting them.”