Phone numbers of 533 million Facebook users are currently being sold via a bot on encrypted messaging platform Telegram, which came from a Facebook vulnerability that was patched by the social network in 2019.
The person selling the database full of Facebook users’ phone numbers (it’s $20 per number) lets customers lookup those numbers by using an automated Telegram bot, according to a report in Motherboard.
Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock first alerted about the Telegram bot selling Facebook users’ information.
“It is worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing (the fraudulent practice of sending text messages) and other fraudulent activities by bad actors,” Alon Gal said.
Though data is a bit old but it still presents a cybersecurity and privacy risk to those whose phone numbers may be exposed.
Facebook told Motherboard the data relates to a vulnerability the company fixed in August 2019.
The Telegram bot lets users enter either a phone number to receive the corresponding user’s Facebook ID, or visa versa.
The initial results from the bot are redacted, but users can buy credits to reveal the full phone number. One credit is $20, with prices stretching up to $5,000 for 10,000 credits.
The bot claims to contain information on Facebook users from the US, Canada, the UK, Australia and 15 other countries.
The Telegram bot has been running since at least January 12.
Facebook or Telegram are yet to officially comment on the report.
It is important that Facebook notify its users of this breach, so they are less likely to fall victim to different hacking and social engineering attempts, Alon Gal said.
In December last year, reports surfaced that a bug exposed the personal information like email addresses and birthdays of Instagram users. The bug was only accessible for a short period of time during a small test.
In November, Facebook fixed a bug in its Messenger app that could have allowed hackers to connect audio calls without the knowledge or approval from the app user. The vulnerability could have been used to spy on Facebook users via Android phones.