Facebook reportedly failed to password protect one of its servers, leaving the phone numbers of 419 million users unsecure. Here's...
Facebook reportedly failed to password protect one of its servers, leaving the phone numbers of 419 million users unsecure.
Here's what we know
On Wednesday, TechCrunch reported that it had found a way to access these phone numbers, including 133 million belonging to Facebook users in the United States and 18 million for Facebook users in the United Kingdom.
The security flaw allowed anyone to freely access a database that paired Facebook IDs with user phone numbers. Facebook ID numbers are assigned to all accounts, and can easily be accessed on a user's Facebook page.
The issue was reportedly linked to a now-defunct feature that allowed users to find Facebook profiles by searching for phone numbers. This was discontinued in April 2018, but the database that helped it work still existed.
TechCrunch went through this database and found several instances of Facebook ID and phone number combinations that its reporters could prove. An unspecified number of entries in the database also included names, gender, and the Facebook user's location at the time the database was compiled.
Facebook admitted that the error had occurred, but told Business Insider that the actual number was probably half of what TechCrunch reported.
"The data set has been taken down and we have seen no evidence that Facebook accounts were compromised, " a Facebook spokesperson said.
What else?
Facebook has been plagued by security issues throughout its existence, which the company has repeatedly expressed its commitment to solve.
In July, Facebook admitted that a glitch in the child-friendly version of its messenger app allowed children to talk to strangers, despite parental controls that were supposed to prevent this.
This isn't even the first time that this specific database has caused problems. In its response to this latest incident, the company also directed Business Insider to an April 4, 2018, Facebook Newsroom blog post in which Facebook CTO Mike Schroepfer announced that the Search and Account Recovery function had been disabled due to "malicious actors" who "abused these features to scrape public information by submitting phone numbers and email addresses they already have through search and account recovery."
"Given the scale and sophistication of the activity we've seen," Schroepfer wrote at the time, "we believe most people on Facebook could have had their public profile scraped in this way."