The database, which Diachenko discovered with a search engine, was freely accessible online for at least 10 days beginning Dec.
Diachenko said someone downloaded the database to a hacker forum two days before he discovered it so it may have been shared among online thieves.
He firstreported the findingThursday in partnership with the UK tech news website Comparitech, which editor Paul Bischoff said has been helping write up Diachenkos discoveries of unsecured databases for about a year.
The researcher provided the AP with a 10-record sample from the database and the IDsand two phone numbers that were answeredchecked out against real Facebook users.
The evidence suggests the data was collected illegally, most likely by criminals in Vietnam who may have scraped it from public Facebook pages or by somehow obtaining privileged access to the service.
In a statement, the social network said it was investigating the issue and that the finding likely involved information obtained before Facebook took unspecified data-protection measures in recent years.
Security experts say the affected Facebook users are at higher risk of being targeted by spam, password-stealing phishing attacks, and identity theft attempts.
In March, Facebookdisclosedthat it had left hundreds of millions of user passwords readable by its employees on internal severs for years after a security researcherexposed thelapse.
Original article