On September 4th, 2019, TechCrunch, an online news site that covers technology and finance-related news, reported that the records of over 419 million Facebook accounts had been stored online on an unsecured, un-password protected server. Each account’s record included a Facebook ID, “a long, unique, and public number associated with their account,” as defined by TechCrunch, which could “easily [be] used to discern an account’s username,” as well as a cell phone number connected to said account. This information isn’t normally found on Facebook. The social media platform stopped allowing its users to search for other users by phone number in mid-2018, when a British political consulting company was revealed to have amassed a large database of personal information – including phone numbers – from millions of Facebook accounts. 

People whose phone numbers have been made public are exposed to a multitude of threats. For example, phone numbers can be plugged into public records and used to find information like addresses and the names of family members. These records can provide an attacker with enough knowledge to answer security questions and reset passwords on their victim’s various accounts or perform a hack known as SIM-swapping. An article in The Guardian, a prominent British newspaper, details the attack: a hacker equipped with their victim’s phone number contacts said person’s cell provider, convinces them that the number has been compromised, and has the number transferred to their own device. The attacker then possesses all information stored on the victim’s phone, and the means to reset the passwords for all accounts associated with the number. 

The server was pulled offline soon after TechCrunch reported it. Though the internet has yet to discover who scraped and compiled the data, according to the Guardian “[Facebook] is still investigating it.”