Comparitech and security researcher Bob Diachenko have uncovered a database containing more than 267 million Facebook users’ data that was left exposed online, with not even a password preventing unauthorized access to it.

The Elasticsearch cluster contained user IDs, phone numbers, and names of mostly US-based users. According to Diachenko, who examined the evidence, the data likely came from “an illegal scraping operation or Facebook API abuse by criminals in Vietnam.”

It was left exposed for nearly two weeks starting December 4, and is now unavailable – but not before it was allegedly shared as a download on a hacker forum.

While this isn’t a lot of data per person, it could still be used to target users with phishing attacks. A Facebook spokesperson told Engadget, “We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information.”

It’s worrying that Facebook can’t seem to get through a single year without at least a few major privacy and security scandals. In September, a similar database containing 419 million users’ IDs and phone numbers was found exposed online.

The company probably doesn’t worry about this kind of thing too much, because it has plenty of cash to throw at the problem. In April, we learned from an earnings call that the social network had set aside $3 billion to pay off fines as and when it was pulled up by authorities over its privacy practices.

We’ve contacted Facebook to learn more and will update this post when there’s a response.

Read next: IBM's efficient new battery for gadgets doesn't require mining for heavy metals