Approximately 267,140,436 users, most of whom reside in the United States, had their Facebook IDs, phone numbers and names exposed in an unsecured database, according to a report published Thursday by cybersecurity firm Comparitech and security researcher Bob Diachenko.
The report warned users that the information within the database could be used to conduct spam and phishing schemes. The report also noted that users could be exposed to “other threats” but did not specify what those are.
The information was exposed for two weeks before access to the database was removed, according to the report.
“We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information," a Facebook spokesperson told FOX Business Friday.
It remains unclear how the user IDs and phone numbers were obtained but Diachenko believes it may be linked to an illegal process known as "scraping" or criminals in Vietnam who abused Facebook's developer API, according to the evidence obtained by the firm and Diachenko.
Scraping is when automated bots copy troves of data from various websites usually placed into a database, often for analysis.
It is possible the data was stolen from API before the company restricted access to users' phone numbers back in 2018, according to Diachenko.
Prior to 2018, phone numbers were available to third-party developers, according to the report. However, API may also have a hole in its security system that may allow criminals to access the records even after access was restricted, the report said.
Another possibility is that the information was "scraped" from publicly visible profile pages.
“It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot,” the report read.
Diachenko warns users to be on the lookout for suspicious text messages. In addition, Facebook users can minimize the risk of having their information "scraped" by adjusting their profile privacy settings.
To do so users must:
- Open Facebook and go to "Settings"
- Click "Privacy"
- Set all relevant fields to "Friends" or "Only me"
- Set "Do you want search engines outside of Facebook to link to your profile" to "No"
This comes just after records of more than 419 million Facebook accounts -- including phone numbers associated with the accounts -- were found online in September. The records were found across several databases on a server that was not protected by a password, TechCrunch reported.
This story has been updated to include a comment from Facebook.
FOX Business’ Ann Schmidt contributed to this report.