Facebook IDs and User Phone Numbers Leaked from Unprotected Database

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

As reported by TechCrunch, 419 million records that are associated with Facebook accounts have been spilled online. The discovery was made by security researcher Sanyam Jain, who tried to figure out the owner but failed, and so he asked for the help of the website. TechCrunch investigated as well but couldn’t determine the identity of the Facebook collaborator that was responsible for the server. However, they did contact the hosting platform, so the database has been taken offline by now. The main data that constitutes each record is the user’s Facebook ID and their phone number.

The criticality of having your phone number leaked is in the risk of falling victim to a catastrophic SIM swapping attack. Moreover, phishing efforts that deploy social engineering methods are getting easier to carry out against someone with a known name and Facebook account. Remember, your account’s Facebook ID is part of your public profile in the platform, so one can easily associate it with more information about you. The phone number, however, isn’t public, and Facebook has stopped sharing it with their developers and advertisement collaborators since 2011. This was the official information about the practice, and as we saw back in March, it wasn’t entirely true. Following revelations about 2FA privacy gaps, the social media giant admitted that they had shared user phone numbers with some advertisers.

facebook database

Source: https://techcrunch.com

The official response that came from the company’s spokesperson Jay Nancarrow about this latest incident claims that the database contains very old data. As the man told TechCrunch: “This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”

Who the owner of the exposed server was and who is responsible for the phone number leaks remains undisclosed. The security researcher claims that the data appears to have been loaded onto the exposed database only a few weeks ago, which could mean that it is freshly scraped information. However, this is only an indication, so nothing on that part can be said with certainty yet.

Are you still using and trusting Facebook, or have you deleted your account already? Let us know in the comments section down below. Also, if you’re still on the social, check out our page on Facebook, or our handle on Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: