Facebook investigates claims that 267m users' data were exposed online

Mark Zuckerberg, Facebook founder and chief executive. Photo / Getty Images

Facebook is investigating reports that a database containing more than 267m records of user's personal information, including names and phone numbers, were exposed online and shared by hackers.

The trove of data, which mainly belonged to US users, appeared to have been posted on a hacker forum by a criminal organisation last week, according to a report by technology website Comparitech and security researcher Bob Diachenko.

READ MORE:
• Premium - Financial Times: Hong Kong authorities have lost their legitimacy
• Premium - Financial Times: Two-thirds of US voters say Trump has not made them better off
• Premium - Financial Times: How much money should you earn to be rich?

The information was taken down on Thursday after the researchers reported it and could have been used to conduct "large-scale SMS spam and phishing campaigns", Comparitech said.

Facebook said the social media group was "looking into this issue", but added that it believed it was "likely information obtained before changes we made in the past few years to better protect people's information".

The revelations come as the company is drawing up a new "privacy programme", which includes setting up a privacy committee that is independent from its board, as part of its record $5bn settlement with the US Federal Trade Commission over historic privacy violations.

Before 2018, developers were able to access reams of user data through Facebook's APIs, or integration "hooks" that third parties can use to plug into its system, in order to help them build apps.

However, after the Cambridge Analytica data leak, where a UK data company was accused of improperly accessing Facebook user information and using that in political campaigns, Facebook sought to restrict access to certain types of data, including phone numbers.

Friday's report raises the possibility that criminal groups were able to tap that personal information and continue to circulate it today, as Facebook struggles to keep a lid on the vast swaths of sensitive information it holds.

In November, the company said in a blog post that it had contacted 100 developers who had retained improper access to certain user data after it brought in the restrictions in 2018, and had cut their access to this data.

The exposure is the latest in a string of apparent data failings by the company this year. In March, it emerged that Facebook had improperly stored hundreds of millions of its users' passwords internally in a readable format.

Comparitech said the database could have been gathered by an "illegal scraping operation" prior to 2018, but suggested that Facebook may also "have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted".

Written by: Hannah Murphy

© Financial Times 2019