Information belonging to no less than 267 million Facebook users has leaked to the web and can now be downloaded from a hacker forum, according to a recent discovery.

The database includes user IDs, phone numbers, and names, Comparitech and security researcher Bob Diachenko explain today. The leaked details were uploaded to a public server accessible to anyone without a password or other authentication method.

The data was first indexed on December 4, while on December 12 the entire set of leaked info was uploaded to a hacker forum. Two days later, the security researcher reported the incident to the ISP managing the IP address of the server, and on December 19, the database was taken offline.

However, given that copies of the database have already been uploaded elsewhere, the risk of large-scale SMS spam and phishing campaign is high, according to researchers.

Facebook: We’re investigating

At this point, it’s not yet clear how the information leaked to the web, but Diachenko believes there’s a chance the data was stolen from Facebook’s developer API before the social network introduced the phone number verification in 2018. At the same time, security holes in the Facebook API or simply scraping the information from public pages are two scenarios worth investigating.

The security researcher believes the operation was conducted by hackers based in Vietnam, but further evidence in this regard is yet to be provided.

Facebook says it’s already investigating the incident, and adds that there’s a chance the information was indeed extracted before the latest security updates it implemented for the social network.

“We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people's information,” a Facebook spokesperson told Engadget.

Changing the password of the Facebook account and the email address associated with the social network should be a priority for users right now. Given phone numbers have been exposed as well, users should pay particular attention to any SMS scams that could kick off in the coming months.