Skip to content
Naked Security Naked Security

Database exposed 133 million US Facebook users’ phone numbers

Facebook confirmed the breach, claiming that the total number of users in the database was 210 million.

A researcher has stumbled on a publicly exposed database containing the telephone numbers of hundreds of millions of Facebook users.

According to TechCrunch, Sanyam Jain of research non-profit the GDI Foundation recently found the unprotected database containing 419 million user records on a web host.

He wasn’t able to identify who put it there, but the recently exposed records contained each user’s unique Facebook ID along with their mobile or mainline phone number.

After TechCrunch checked the records, some contained users’ name, gender and location. The countries which appeared most often in the data were the US with 133 million numbers, Vietnam with 50 million, and the UK with 18 million.

Facebook later confirmed the breach, claiming to The Guardian that once duplicate records were removed, the total number of users in the database was 210 million.

According to Facebook’s Jay Nancarrow, the database appeared to have been ‘scraped’ before privacy changes implemented in 2018:

This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers.

The data was now no longer accessible, and it was still investigating who might have collected it. The company had seen no evidence it had been used to compromise accounts, he added.

Telephone numbers matter

If there was ever a time when exposing telephone numbers could be viewed as a minor privacy breach, those days are long gone. These days, telephone numbers can be hugely valuable to cybercriminals.

Numbers can be abused in two ways, the most obvious of which is to fuel SIM swap fraud whereby criminals phone up carriers pretending to be the SIM owner asking for a replacement chip.

When they receive and activate the new SIM, the genuine user’s phone goes dead, a sign that their number has been taken over to bypass security layers such as SMS-based two-factor authentication.

Telephone numbers also offer a route into internet accounts that allow SMS messages to be used to confirm credential resets.

According to Jain, the database also contained the profiles and associated telephone numbers of celebrities.


SIM swapping section starts at 33’00”.
Click-and-drag on the soundwaves below to skip to any point in the podcast.

Audio player above not working? Download MP3, listen on Soundcloud or on Apple Podcasts, or access via Spotify.

What to do

Assuming a Facebook ID/number was part of this database (and third parties got hold of it somehow), the only quick fix is to change that number. Most people will be reluctant to pull that plug because it comes with the inconvenience that nobody can contact you until you tell them the new one.


Not to mention spammers would love that list. I have had the same number since 1995 and because I only use it for family/friends and true business I get very few spam calls. Up until a few months ago that is. I now get 2-3 a day so I know my number has gotten out there somehow. Maybe this.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!