The social networking company has revealed that more than 419 million records - primarily from US users with around 18m from the UK - appeared in databases that anyone could find and access, before the information was take down.
As reported by TechCrunch, a security researcher discovered the mishap, with the records help in several databases that were part of a server which wasn't password protected.
A Facebook spokesperson said the company is still trying to determine exactly how many users have been impacted - it's thought to be around 200 million, as there were duplicates in the records.
In a statement, they said: "This dataset is old and appears to have information obtained before we made changes last year to remove people's ability to find others using their phone numbers.
"The dataset has been taken down, and we have seen no evidence that Facebook accounts were compromised."