September 5, 2019

Over 419 Million Phone Numbers Exposed. How To Learn From Facebook’s Mistakes To Never Repeat Them Again

When you get the headlines that involve hundreds as numbers, “data” as a noun, and “exposed” as an adjective, you already know who’s involved.

Is it even necessary to point fingers at Facebook at this point?

They don’t feel any shame for all the leaks that happened in the past few years. As we can see, expecting them to learn from their mistakes is not an option anymore.

There will be more fines, more high-resolution photos of Zuckerberg plastered all over the media, and even more angry users.

Not A Pretty Sight, No Matter How You Look At It

But we can look at this situation with an exposed server differently, abstaining from pointless verbal obliteration and sticking to ways of ensuring our companies never get in the same situation.

Let’s look at how Facebook’s spokesperson reacted to such news...

The dataset is old and appears to have information obtained before we made changes last year.” 

Facebook, if you don’t need that information, it doesn’t mean that anyone else is the same.

It still can give malicious actors the power to reset accounts. They can also pull up more information about the person through public databases, expose the target to annoying spam or even subject the target to an impersonation, gaining access to bank accounts 

But wait, there’s more!

The most recent data uploaded to that server dates back to July of 2019. So someone is either lying or has no idea what’s happening. 

Plus the exposed information included users' Facebook IDs. But that’s not the end of the world for one simple reason - everyone could see it anyway in the URL.

Every Lesson Is A Blessing?

Let’s recap now.

Personal information has been gathered by a third party, the database did not have any password protection, and no signs of encryption were seen, as phone numbers were available in plain text to anyone who could find them.

I assertively repeat the number one rule in cybersecurity today - data should always be encrypted, in transit and at rest. 

That’s an important rule, but not the only one.

  • Encryption should transpire on the client’s side.
  • Only a client should have access to encryption keys.
  • We should not transfer sensitive data and files via unprotected communication channels.
  • The company must be in full control of the storage with encrypted information and keys.
  • Cybersecurity solutions must be legally compliant.

So how many cases should we go through, and how many billions they should pay in fines to understand this? I would like to see Facebook change, but tigers don't change their stripes. 

My blog couldn't proceed your request right now.

Please try again a bit later.

Thank you for contacting me!

I will get back to you as soon as I can.

Contact me


My blog couldn't proceed your request right now.

Please try again a bit later.

Thank you for subscribing!

I added you to my emailing list. Will let you know as soon as I have something interesting.

Subscribe for email updates