Security researcher Bob Diachenko and Comparitech discovered that a Facebook database with 267 million user IDs, phone numbers and names was left unsecured and accessed by hackers, who uploaded it to a downloadable format, according to a report.
Diachenko said he thinks the breach is because of an illegal bot scraping operation or even criminals who figured out how to abuse Facebook’s API. The originators of the database are suspected to be in Vietnam.
With the information, criminals could potentially launch a large-scale phishing campaign, either by SMS or other means. While Diachenko immediately notified the internet service provider about the breach, he noted that the information was also posted to a hacker forum.
It took about two weeks for the access to the database to be removed, according to the report. It was first indexed on Dec. 4, and then posted as a download on the forum on Dec. 12. On Dec. 14, Diachenko reported it and by the 19th it was unavailable.
He believes that the data did not belong to anyone, but was originally stolen by a criminal organization. That’s why Diachenko went right to the service provider.
Each record contained a unique Facebook ID, a phone number, a timestamp and a full name. IDs are unique and can be used to figure out more information about people.
The exact method for theft is not clearly known. It could have been a manipulation of Facebook’s API, which developers use to add social aspects to their own apps. However, it could also be a simple bot that was created to scrape phone numbers off of public profiles, as well as other information.
There’s also the possibility that there was a hole in security in the API that criminals took advantage of and used to perpetrate the crime.
This particular type of breach would most likely be used for a spam or phishing campaign.