Security Researchers Say Criminal Group Scraped Phone Numbers and Other Data
An unsecured Elasticsearch database exposed the identities and phone numbers of over 267 million Facebook users for about two weeks, according to a new research report.
The information contained in this Elasticsearch server appears to have been harvested by cybercriminals during an illegal data scraping scheme, according to security researcher Bob Diachenko and privacy advocacy firm Comparitech, the collaborators on the report.
Cybercriminals not only uploaded the data to an online database, but also posted it to a hacker forum on Dec. 12, the report states. Most of the data came from U.S. Facebook users.
In addition to the Facebook identification, the database contained users’ full names, telephone numbers and a timestamp. The Elasticsearch server also included a landing page with a login dashboard and welcome note, the report notes.
“Facebook IDs are unique, public numbers associated with specific accounts, which can be used to discern an account’s username and other profile info,” the report adds.
The data collected in the Elasticsearch server is likely the result of an illegal scraping scheme carried out by cybercriminals operating in Vietnam, according to the report. The researchers, however, did not specify what led them to that conclusion.
Although it’s not clear how the data was scraped in this case, such scraping typically involves a large number of automated bots that sift through webpages, copy data and then store it in a database, according to the report.
One possibility is that the phone numbers came from an API that Facebook released to third-party app developers several years ago. This API allowed developers to add social content to their applications by accessing users’ profiles, friends list, groups, photos and event data, the report notes.
Facebook users’ phone numbers were available through this API until the company closed off access in 2018. Over the last year, the social media company has been changing the way third-party developers access its data, and in November, it announced further restrictions on data (see: Facebook: Developers Wrongfully Accessed User Data – Again).
“We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” a Facebook spokesperson tells Information Security Media Group.
It’s also possible that the cybercriminals in this case scraped data from publicly available user profiles, according to the report.
The report notes that the data that was scraped could be used for spam or phishing campaigns, especially through SMS messages sent to a victim’s smartphone.
This is the second time since September that security researchers have found an unsecured database containing Facebook IDs as well as phone number from users’ accounts.
In September, Facebook confirmed that unsecured cloud-based server contained more than 419 million users’ phone numbers and other data that had been scraped from the company’s social network (see: Facebook: 419 Million Scraped User Phone Numbers Exposed).
Facebook has been attempting to clamp down on data leaks since the company was fined $5 billion in July by the U.S. Federal Trade Commission and the Department of Justice (see: It’s Official: FTC Fines Facebook $5 Billion).