Millions of Facebook users had their publicly listed personal data, including their phone numbers, shared in an online forum for malicious actors to use.

What happened?

A database containing more than 267 million Facebook user IDs, names, and phone numbers was left publicly exposed online, and although it's been taken down, the data from that database ended up on an online forum for hackers. Cybersecurity site Comparitech in partnership with data-security researcher Bob Diachenko discovered the database and have shared a timeline of events.

Diachenko, who looks for exposed databases online and notifies their owners, found a database of Facebook user data and noticed the owners were illegally maintaining it and possibly part of a criminal enterprise. He then contacted the internet service provider managing the IP address of the server storing the database. The database first appeared online on 4 December, and Diachenko reported it to the ISP on 14 December.

Diachenko said the database might've been left public by mistake, but the database was taken down and is no longer available. On 12 December, the data from the database was posted publicly to an online forum for hackers.

Who owned the database?

The researchers traced it back to Vietnam.

Is Facebook at fault?

Although they don't know how the Facebook user database was created, researchers say it might've been aggregated through scraping, a process where public information would've been copied from Facebook profiles using automated bots. However, it's possible the data was collected before 2018, or before Facebook stopped giving third-party developers access to users' phone numbers. 

Why is this a big deal?

Many Facebook users allow their phone numbers and other types of data to be public on their profiles. But manually combing through millions of profiles to collect that information is way more difficult than visiting a web forum and grabbing Facebook user data that's already been plucked and compiled for you. Many hackers use these databases to get ahold of a mass target pool and to improve their phishing attempts.

How does it affect you?

If your publicly listed personal data was part of the database that Diachenko discovered exposed online, then your Facebook ID, name, and phone number were most likely also posted to a website that hackers use to find their targets and to tailor their phishing methods. In other words, you are now more susceptible to being targeted online by malicious actors.

Diachenko said 267,140,436 Facebook users were included in the database and that most of these people are from the US. There doesn't appear to be a way to learn if you, personally, are affected.

What can you do now?

Short of changing your phone number and deleting your Facebook profile, be extra mindful about spam calls, texts, and emails, unsolicited requests, and invites to click links. And be sure you're only visiting legitimate sites. Lastly, to avoid having your information scraped from your profile again, Comparitech suggested omitting your profile from search-engine results and only allowing friends to see your posts.