It had been a week or so since Facebook users got some bad news, so really this was probably inevitable. I don't mean to sound overly harsh, but let's be honest: Facebook has a problem keeping your private information, well, private. In fact, the way I know this is true is that the company just agreed to pay $5 billion to settle an investigation into that very allegation.
Just when we thought Facebook was past the latest scandal, we find out that a collection of 419 million phone numbers and user IDs were scraped from the site and stored in an unsecured database. Of those, 133 million were U.S. users. To be clear, by "unsecured" I mean the database wasn't even password protected.
That's according to Techcrunch, who was alerted by a security researcher named Sanyam Jain, who first discovered the trove of information online. The data was apparently scraped over a year ago, since Facebook no longer allows developers access to user phone numbers. That means that the database could have been sitting out in the open for a year, available to anyone who happened to find it.
Facebook, through a spokesperson, says that "the dataset has been taken down and we have seen no evidence that Facebook accounts were compromised." That's good news, but honestly, not great. Especially since the security researcher and Techcrunch were unable to uncover who the database belonged to, when it was scraped, or what it might have been used for.
The real problem, at this point, isn't whether a bad guy did something with the information, it's that the same thing keeps happening at Facebook, over and over and over.
By the way, when that's the case, you've officially crossed into "we have a problem" territory.
And it's not a small problem. The report from Techcrunch goes on to explain that:
This latest incident exposed millions of users' phone numbers just from their Facebook IDs, putting them at risk of spam calls and SIM-swapping attacks, which relies on tricking cell carriers into giving a person's phone number to an attacker. With someone else's phone number, an attacker can force-reset the password on any internet account associated with that number.
Let me break that down. Anyone who accessed this database could--in theory--trick Verizon or T-Mobile into swapping your phone number onto their device. Once that happens, they could initiate a "reset password" attempt for any service you associated with that phone number, including other social media networks, and even your bank. This is reportedly how Twitter CEO Jack Dorsey found himself hacked last week.
I guess you could try to argue that this isn't that big a deal since the actual breach happened a while ago, so it's not really fair to count this against Facebook. Except that just means that hundreds of millions of people have had their personal information exposed for far longer than anyone knows and their info has been used who knows where.
Even though Facebook doesn't know if any of this information leaked into the wild, that doesn't mean it hasn't or won't. And if, best case scenario, this is simply a case of carelessness by someone who collected the information at a time when developers were able to do so, it still reminds us that nothing you put on Facebook is really private.
Clearly, what happens on Facebook doesn't stay on Facebook, and that's a problem for everyone.