Over the last year Facebook has committed multiple users’ privacy breaches, and this will not stop. Data protection specialists now report that the social network has leaked phone numbers of around 420 million users. Despite the company’s efforts to improve perception of its privacy policies, the situation does not seem to improve.
The database where phones linked to users’ accounts were stored was discovered online without any protection, such as a password. In other words, anyone who knows where to look for this information could easily find it. Based on phone numbers, most of those affected appear to be originally from places such as the United Kingdom, the United States and some Asian territories.
In addition, the database stored the Facebook ID key corresponding to each phone number, even though the same company announced a number of changes to restrict access to this information and fully protect the identity of users. In the end, it seems that the changes had no real effect.
To make the situation even worse, data protection experts mention that in addition to this information, some of the records in the database stored other sensitive details about users, such as names, gender, and location data. So far it is not known which company is responsible for this leak; “the only thing we can say is that the compromised server doesn’t belong to Facebook,” the experts added.
After the specialized platform TechCrunch revealed the incident, a Facebook spokesperson mentioned that this information is out of date: “It’s a database even prior to our new mobile phone data protection policy,” he said. In addition, the representative of the social network confirmed that access to the exposed database had already been disabled and denied the existence of evidence of improper access to any Facebook account as a result of this incident, although he could not deny that this is a still latent risk.
The company is trying to reduce the impact of this incident by sending security notifications for millions of users and claiming that the actual number of affected users is around 200 million, as the database contained duplicate records. However, data protection experts have denied this version, ensuring that, after intensive analysis, no evidence was found that duplicate data is available.
Facebook has made very serious mistakes on privacy issues over the past year. In January 2019, the company confirmed that it mistakenly stored millions of unencrypted Instagram passwords. A couple of months later, the company revealed that, due to a technical error, millions of children using Messenger Kids could enter any group chat without any parental restrictions.
Data protection experts from the International Institute of Cyber Security (IICS) believe that the best way to avoid these incidents is to limit the amount of information we provide to social media platforms. However, this can be counterproductive, as services like Facebook require a phone number to implement multi-factor authentication, which adds one more layer of security to our online profiles, so it is up to users to implement or not their phone number on these services.