This archive report was first published on 5 September 2019.
On September 4, 2019, a significant privacy lapse was reported, affecting over 400 million Facebook users worldwide. According to US media, phone numbers linked to these users were listed online, exposing their personal data.
Technology news site TechCrunch discovered an exposed server storing 419 million records on users across several databases, including 133 million US accounts, more than 50 million in Vietnam, and 18 million in Britain. The databases listed Facebook user IDs, phone numbers, as well as the gender listed by some accounts and their geographical locations.
The server was not password protected, allowing anyone to access the databases, and remained online until late Wednesday when TechCrunch contacted the site's host. Facebook confirmed parts of the report but downplayed the extent of the exposure, stating that the number of accounts so far confirmed was around half of the reported 419 million.
The company added that many of the entries were duplicates and that the data was old. A Facebook spokesperson told AFP, "The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised."
This latest privacy lapse comes after the 2018 Cambridge Analytica scandal, where a firm used Facebook's lax privacy settings to access millions of users' personal details. Following the incident, Facebook disabled a feature that allowed users to search the platform by phone numbers.
The exposure of a user's phone number leaves them vulnerable to spam calls, SIM-swapping, and other cyber threats, including hackers forcing-resetting the passwords of compromised accounts.