What Happened?

On Wednesday, September 4th, 2019, security researchers discovered an unprotected server containing over 419 million records of Facebook users. The server was not password protected, giving anyone access to the database consisting of millions of Facebook users’ unique Facebook ID and connected phone numbers. Some records included the user’s name, gender, and location. The exposed server comprised records of 133 million Facebook users in the U.S., 18 million users in the U.K., and over 50 million records in Vietnam. This phone number and account ID leak is the latest in what has become a long list of security vulnerabilities linked to Facebook privacy concerns.

Should You Be Worried?

The database has since been removed from the web, but it is unclear how long it was left unprotected. Access to Facebook users’ cellphone numbers increases vulnerability to fraudulent scam calls. Users with compromised phone numbers are also at risk of SIM card swap schemes, where hackers get the mobile service provider to switch the number to a new SIM card. Upon a successful number swap, the fraudster can then access accounts that use two-factor authentication (2FA) as a protective measure. Combined with passwords that have been disclosed in previous data breaches, cybercriminals may also attempt account takeovers through credential stuffing attacks.

3 Tips to Stay Protected

  1. Limit your Facebook privacy settings. The privacy tab in your Facebook settings adjusts your default sharing, search and contact settings. Update How People Find and Contact You to restrict users from searching you by your email and phone number.
  2. Access our Social Media Security Center. Review how you can protect yourself throughout various social media platforms, including adjusting your privacy settings.
  3. Update your passwords. If you have a Facebook account, be sure to update your password to a strong sequence that you have not previously used.