Data of millions of Facebook users exposed

A group in Vietnam was charging for access to the information which included names and phone numbers

FILE - In this Aug. 11, 2019, file photo an iPhone displays a Facebook page in New Orleans. A Ukrainian security researcher says a database with the names, phone numbers and unique user IDs of more than 267 million Facebook users was exposed on the open internet for at least 10 days this month. (AP Photo/Jenny Kane, File)
Powered by automated translation

Information on 267 million Facebook users, including names, phone numbers and Facebook IDs, was exposed online, according to a cyber-security researcher.

The data, mostly from US Facebook users, was posted on a searchable database by a group that appeared to be based in Vietnam, said Bob Diachenko, the cyber threat intelligence director at Security Discovery, a Ukrainian cyber-security website that offers news and consulting services. The Vietnamese group appeared to be charging for access to the data, but a flaw in their code inadvertently left the database open to all, he said.

A spokeswoman from Facebook said the company was looking into the issue. She said the information was likely obtained before Facebook made changes in recent years to better protect people’s information.

It was not known if any of the user information was accessed or sold by the Vietnamese group. Mr Diachenko partnered with Comparitech, a website that seeks to help consumers research and compare tech services, to uncover the exposed data.

Of the affected users, 99 per cent were from the US and most of the others came from Vietnam, Mr Diachenko said. He said he surmised that the group that was selling access to the information was from Vietnam because of the use of Vietnamese language and because the data – its type and structure – resembles that of other data breaches conducted by Vietnamese hackers.

The exposed information – particularly if cross referenced with other databases –could be used for sophisticated spam or phishing attacks, he said. “This is pretty significant because you can start getting a full profile of a person,” Mr Diachenko said of the data.

He said he contacted the internet service provider hosting the database, and it was removed on Thursday.