More than 267 million names, phone numbers and user IDs of Facebook users were discovered on the dark web, cybersecurity researchers said Thursday.
For the past two weeks, the massive trove of sensitive information was exposed to anyone who wanted to see it, according to a joint report from tech site Comparitech and researcher Bob Diachenko.
The confidential records were first made available on Dec. 4, according to the researchers’ timeline, and made their way to a hacker forum eight days later.
They were taken down Thursday after Diachenko informed its internet service provider about the unsecured information — but not before sitting as a download in the hacker forum for a week.
The database belongs to “a criminal organization” in Vietnam “according to the evidence,” the researchers said.
Most of the affected users — 267.1 million in total — were American.
It is not yet clear how the information was accessed, but Comparitech suggested it may have been collected through “scraping,” a process by which bots copy and collect data from web pages.
Scraping is forbidden by Facebook’s terms of service, but when a profile is listed as “public” it is easy to do.
The leaked information may make victims easier to target with “large-scale SMS spam and phishing campaigns,” Comparitech said.
“We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” Facebook said in a statement.
The Menlo Park, Calif.-based social network has been scrambling to improve its handling of user data since the Cambridge Analytica scandal in 2018, which saw the now-shuttered research firm hoover up the personal data of nearly 90 million Facebook users to better target them with political ads during the 2016 presidential election.
Cybersecurity expert J. Eduardo Campos said this month’s leak doesn’t appear to be as bad as Cambridge Analytica, but that final judgement should be reserved for when more details emerge.
“This one has the potential to be as bad, but we don’t know how sophisticated the criminals who got this data are,” Campos told The Post. “[Cambridge Analytica] was worse because they were able to clearly define what they were trying to achieve.”
Also in 2018, Facebook revealed that a bug in its system accidentally exposed the private photos of nearly 7 million users. The breach gave certain third-party apps access to photos that were uploaded but not yet made public on Facebook, as well as photos on Facebook’s Marketplace and Stories features.
Shares of Facebook were flat in extended trading, down just four cents from its closing price of $206.06.