Famous information security expert Bob Diachenko and Comparitech specialists reported discovery an unprotected Elasticsearch database containing data from 267,140,436 Facebook users (most of the information belonged to American users). So, in the database it was possible to find user identifiers, phone numbers and names, and anyone could access all this data without a password or any authentication.
Comparitech analysts emphasized that this data could be used to carry out large-scale spam and phishing SMS campaigns, as well as other malicious operations.
Experts believe that the base belonged to a certain criminal group from Vietnam. Therefore, the experts did not turn to the owners of the database for help, but directly to the provider, who blocked access to information immediately after the warning received from the researchers.
According to experts, the database was publicly available for at least two weeks (it was indexed for the first time on December 4, 2019), and during this time it was detected by intruders, since on December 12, 2019, the database dump was already published for download on a hacker forum.
Researchers write that the information contained in the database was probably collected through scraping or obtained through abuse of the Facebook API. Access to the API was limited in 2018, but attackers were allegedly able to detect some vulnerability and continued to abuse the API. So, in November of this year, Facebook already recognizedthat more than 100 third-party application developers had access to user data through API groups, despite the fact that access to this information was limited last year.
Representatives of the social network reported that they are studying a fresh incident, but suggest that the information in the database was collected before the changes that the company has implemented over the past few years.