Facebook’s latest privacy lapse has exposed over 400 million user records on a server that wasn’t protected with a password. TechCrunch reports today that each record contained a user’s Facebook ID and the phone number linked to their account.
The server included records across several databases, including 133 million records for US Facebook users, as well as records for 18 million UK users and over 50 million users in Vietnam.
Each record included a user’s Facebook ID, which TechCrunch describes as a “long, unique, and public number associated” with Facebook accounts. That ID can then be used to figure out an account’s username. Each record also contained a user’s phone number, and in some instances name, gender, and location by country.
Most notably, phone numbers have not been public on Facebook in more than a year after the company changed its policy. This is what makes it so notable that over 400 million records with phone numbers were left unprotected.
In a statement, a Facebook spokesperson said the dataset is “old” and has information from before the company’s policy change related to phone numbers:
Facebook has had a rough history with user phone numbers. Over the last year, the company has faced a pair of controversies over how it used phone numbers users had provided for two-factor authentication purposes.