Facebook has confirmed about 200 million phone numbers from members have been exposed in an online database.
The company said it was investigating who had compiled the database and left it online unprotected.
It includes telephone numbers for about 18 million Facebook members in the UK.
The UK's Information Commissioner's Office (ICO) said it had referred the matter to its Irish equivalent - the IDPC - which is the supervisory authority for Facebook in the EU.
The database of telephone numbers and Facebook IDs was discovered on an unprotected web server and was not password protected.
It is not believed to have been compiled or put there by Facebook.
The database was taken offline after the news site TechCrunch reported the issue to the web hosting company.
In April 2018, Facebook switched off a feature that let people search for other users by typing in their phone number.
The company said "malicious actors" had abused the feature by typing in millions of phone numbers to find out who owned them.
It said they had been harvesting profiles and phone numbers for years by abusing the search tool and that anybody who had not changed their privacy settings after adding their phone number should assume their information had been harvested.
And it is thought the database reported by TechCrunch may have been compiled by using this tool.