A huge database with the phone numbers of 419 million Facebook users has been found online on an unprotected server in a database with no password, in the umpteenth demonstration of the company’s breathtakingly feeble security. A tool is not yet available to check if your phone is among them, but it will probably be shortly. Apparently, when Facebook decided to request its users their phone numbers and made these phone numbers searchable, some bad actors started to use that search function to systematically search for random numbers and compile (and presumably, commercialize) huge databases. A behavior like that should have been patently obvious for Facebook’s system administrators, but the company decided to do nothing for several years, thus compromising the security of its users.
The database includes Facebook users’ ID and the telephone number associated with their account, making it possible to access their profile and obtain additional data that could be used for any number of nefarious schemes.
How will Facebook defend itself? By simply saying “it wasn’t them, but some bad actor”. As if such a lame excuse could remove all responsibility from someone who owns a platform, and allows it, in a totally irresponsible way, to be used for something like this under their very nose. At a time when the SIM swap scams are on the rise, Facebook allows the numbers of 419 million of its users to be filtered. SIM swaps are used for two factor authentication when accessing an account from a new device, for password changes or for other security-related issues. This is not a problem I would wish on anybody, and may have been behind the recent attack on Twitter CEO Jack Dorsey. In addition, telephone numbers are highly vulnerable, given that users often keep them for many years, which rubbishes Facebook’s defense, which has simply been to say that “the data was old.” In addition, filtering such a high number of telephone numbers increases the likelihood that these users will be subjected to higher levels of telephone spam.
This is a crystal-clear case of irresponsibility when managing a platform. The minimum required of a company that trades the data of its users is that it treats this data with a minimum of responsibility. Instead, the impression is that on Facebook, anyone can take the data they want, including passwords, copy them to any server without any protection, and leave them there until someone else finds them. Equally, one of its so-called trusted partners or bad actor might be given free access to use them for whatever sinister purpose. There have been so many cases demonstrating the fallibility of Facebook’s internal security practices that it is clear fines, even of five billion dollars, are not going to make it change its ways.
Facebook is now a real problem, the definition of what social media should never have become. The simple truth is that Facebook is not remotely interested in protecting the data of its users, which it sees simply as raw material, a product to be packaged and sold. The problem with seeing these kinds of stories in the news is that we end up believing this is “normal”, inevitable, part of the picture. But it doesn’t and shouldn’t have to be. When a company has one security issue after another and does nothing but apologize (after first trying to evade responsibility), it’s clear the problem is embedded in the culture of that company and very possibly has no solution.
(En español, aquí)