An unsecured database with account details relating to 267 million Facebook Inc. users has been found online and has already been shared on a hacking forum.

Discovered and publicized today by security researcher Bob Diachenko, the Elasticsearch database included Facebook user IDs, phone numbers, full names and a time stamp. Where the data comes from, however, is not clear.

Diachenko speculates that the data may have been stolen from Facebook’s developer application programming interface before the company restricted access in 2018. Alternatively, the data could have simply been scraped from publicly visible profile pages. What is known is that the database itself was compiled by criminals in Vietnam based on the evidence at hand.

The database was available online for just over two weeks having been first indexed Dec. 4. The data was posted to a hacker form Dec. 12 and Diachenko discovered the database and informed the internet service provider managing the IP address of the server Dec. 14. The database was eventually taken offline today.

While the data in the database did not include passwords the data itself is still valuable as it can be utilized for phishing and spam campaigns including the use of SMS messages.

“Social media platforms are lucrative targets for cybercriminals due to the massive amounts of personally identifiable information that they collect and store from users,” Anurag Kahol, chief technology officer at cloud access security broker Bitglass Inc., told SiliconANGLE. “In fact, the data exposed in this incident was found on a dark web forum, leaving the affected consumers highly vulnerable to targeted phishing and credential stuffing attacks, account hijacking and more.”

Even without the database including passwords the problem of password reuse comes into play. “The lasting impact is unknown and a staggering 59% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated,”  Kahol explained. “This could give cybercriminals access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked.”

Robert Prigge, chief executive officer of identity verification company Jumio Corp., reflecting the insane level of these stories lately, said, “Yawn, another data breach. We’re all getting a bit jaded by these breaches and it’s a given that the information contained in the compromised database could be used to conduct large-scale SMS spam and phishing campaigns, among other threats to end-users.”

Tens of thousands of businesses use the Facebook Login Button on their websites to validate if users are whom they claim to be Prigge added. “You can’t possibly know if a user is who they claim to be given the scope and magnitude of these breaches,” he said. “Businesses must reconsider their use of these types of identity proofing and authentication mechanisms as they’re practically worthless.”

Photo: Ben Osteen/Flickr