The server was not password protected, meaning anyone could access the databases, and remained online until late Wednesday when TechCrunch contacted the site's host.
confirmed parts of the report but downplayed the extent of the exposure, saying that the number of accounts so far confirmed was around half of the reported 419 million.
It added that many of the entries were duplicates and that the data was old.
"The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised," a Facebook spokesperson told AFP.
Following the 2018 Cambridge Analytica
scandal, when a firm used Facebook's lax privacy settings to access millions of users' personal details, the company disabled a feature that allowed users to search the platform by phone numbers.
The exposure of a user's phone number leaves them vulnerable to spam calls, SIM-swapping -- as recently happened to Twitter CEO Jack Dorsey -- with hackers able to force-reset the passwords of the compromised accounts.