Dianchenko says he reported the database to the service provider managing the IP address of the server, but the database was exposed for nearly two weeks. In the meantime, he says, the data was posted as a download in a hacker forum.

That’s a lot of personal data to be floating around in the wild, and as Comparitech notes, it could be used to carry out phishing scams and other foul play.

“We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” a Facebook spokesperson told Engadget.

Unfortunately, this is far from the first time that millions of Facebook users have had their data exposed online. In September, a security researcher found another database with 419 million records tied to Facebook accounts. One year prior, a hack exposed private info belonging to 29 million users. Third-party errors have left 540 million Facebook records exposed, and earlier this year, over 20,000 Facebook employees had access to 600 million users passwords. While Facebook’s future may be private, its present is apparently not.

The hack doesn’t appear to affect more security chip-and-pin cards, but not all consumers have those, so service stations often work with mag stripe readers, too. The data is apparently sent in an unencrypted form to the vendor’s main network, where the thieves have figured out how to intercept it. The other problem is that the POS systems aren’t firewalled off from other, less critical parts of the network, allowing thieves to gain lateral access once the network is breached.

There’s not much cardholders can do to avoid the attacks, but Visa has advised fuel merchants to encrypt data while it’s transferred or use a chip-and-PIN policy. “Fuel dispenser merchants should take note of this activity and deploy devices that support chip-and-pin wherever possible, as this will significantly lower the likelihood of these attacks,” it advised in the December security alert.

Earlier this year, Visa announced that fuel merchants must deploy chip-and-PIN readers by October 2020. After that, any service stations without the new tech will be liable for any fraud. The problem is, many such businesses have very old technology and must replace the entire pump at an estimated cost of up to $250,000 per station. Spread across all the convenience stores in the US, the total hit has been estimated at around $22.5 billion.