A researcher has found several databases stored on an unprotected server that held personal information — mostly phone numbers — of hundreds of millions of Facebook users. While the company argues the data is over a year old, it doesn’t change the fact that it is a big privacy breach. The person who collected that information and their motivations behind it are nebulous.
When Mark Zuckerberg outlined Facebook’s “privacy-focused” future earlier this year, everyone was right to treat his promises with skepticism. The latest security breach exposed the phone numbers of 419 million users, even after Facebook said it has restricted access to that information over a year ago as part of a policy update.

Sanyam Jain, a security researcher from the GDI Foundation discovered the dataset on an unprotected server and told TechCrunch he was unable to find the person who scraped that information from Facebook. The good news, however, is that after contacting the hosting company, the databases were taken offline.

The server contained records of users from all around the world, including 133 million records on Facebook users in the US, 50 million on users in Vietnam, and 18 million on people in the UK. The researcher says each phone number was tied to a user’s Facebook ID, which is a long string of numbers that is uniquely associated with a Facebook account. That ID can be used to find out a username, and some of the records included other personal details like name, gender, and location.

A Facebook spokesperson explained that “this dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. […] The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”

Still, the news comes at a time when Facebook is under fire from all directions for privacy breaches and anticompetitive behavior. Eariler this year it was revealed that the company’s two-factor authentication system could be used by almost anyone to find your phone number. It’s also worth noting that Facebook’s sketchy practices go so deep that it knows what apps you use even if you don’t have a Facebook account.