It has happened again. Facebook has suffered yet another security incident compromising 419 million accounts. This time, it’s the phone numbers affected.
Facebook is once again in the spotlight over its ability to protect users data. This is thanks to yet another blockbuster data leak. This time, the data leak affects people’s phone numbers – the very thing Facebook asked users to provide for better security. From The Independent:
A security researcher found 419 million records on an unsecured server, meaning no password was needed to access them.
A total of 18 million were from users in the UK, while around 133 million were from American accounts.
The records contained not only the users’ phone numbers but also their Facebook identification, which can be used to discern a person’s Facebook username.
Some records included the person’s gender and location details, according Sanyam Jain, the security researcher who first reported the database to the TechCrunch website.
What’s interesting is the fact that Facebook gathering people’s phone numbers have been quite controversial for quite some time now. Last year, the Electronic Frontier Foundation called out Facebook for asking for phone numbers for the purpose of two factor authentication, then turning around and selling those numbers for the purpose of advertising. From their comments at the time:
Facebook is also grabbing your contact information from your friends. Kash Hill of Gizmodo provides an example:
…if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later.
This means that, even if you never directly handed a particular phone number over to Facebook, advertisers may nevertheless be able to associate it with your account based on your friends’ phone books.
Even worse, none of this is accessible or transparent to users. You can’t find such “shadow” contact information in the “contact and basic info” section of your profile; users in Europe can’t even get their hands on it despite explicit requirements under the GDPR that a company give users a “right to know” what information it has on them.
Earlier this year, the EFF accused Facebook of doubling down on phone numbers:
When we publicly demanded that Facebook stop messing with users’ phone numbers last week, we weren’t expecting the social network to double down quite like this: By default, anyone can use the phone number that a user provides for two-factor authentication (2FA) to find that user’s profile. For people who need 2FA to protect their account and stay safe, Facebook is forcing them into unnecessarily choosing between security and privacy.
While settings are available to choose whether “everyone,” “friends of friends,” or “friends” can use your phone number this way, there is no way to opt out completely.
Now, the scope of Facebook’s phone number problem seems even wider. In defiance of user expectations and security best practices, it is exposing users’ 2FA phone numbers not only to advertisers but also to, well, anyone. Facebook must fix this before more people are put at risk. It should never have made phone numbers that were provided for security searchable by everyone in the first place.
So, knowing all of this on top of the fact that we see a data leak from Facebook, things just keep getting worse and worse.
Facebook, for its part, said that the data set is more than a year old and that Facebook has since made changes.
Back in July, American regulator, the FTC, fined Facebook $5 billion, saying that they hope the fine will serve both as a punishment for Facebook’s violations in the Cambridge Analytica scandal, but also serve as a deterrent. That could be at least one reason why Facebook is trying to take the approach of saying that the data set is old and that they have since changed. After all, how badly would you want investigators going after you yet again for another massive security incident anyway?
Either way, it appears that the controversy surrounding Facebook just keeps building and Facebooks privacy policies won’t likely be leaving the public eye any time soon.
Drew Wilson on Twitter: @icecube85 and Facebook.