Access to phone numbers on Facebook is being sold via an automated Telegram bot, with the creator claiming to have data on over 500 million users, reads a new report from Motherboard.
A Facebook vulnerability that was patched in 2019 has resulted in the phone numbers of 533 million users going on sale via a dark web cybercrime forum. Interested buyers can look up information in the database using a Telegram bot.
Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, discovered the activity and alerted Motherboard. “It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors,” he said.
The Telegram bot works by letting users either enter a phone number to see what Facebook user it belongs to, or enter a Facebook user’s name to get their phone number. The service isn’t free. Users require credits to gain access to a full telephone number, with one credit costing $20 USD. However, there’s also bulk-buying, with $5,000 USD worth 10,000 credits.
The bot has been running since at least January 12, 2021, according to screenshots posted by Gal, but the data it provides access to is from 2019, and this is a particularly embarrassing situation for Facebook.
At the moment, it is not known whether the motherboard or security researchers have contacted Telegram to try to have the bot removed, but hopefully, this will be resolved soon.
Reports of the Telegram bot started emerging a couple of weeks ago, which is a pretty embarrassing development for Facebook given that it usually asks for a person’s phone number so it can enable two-factor authentication. A data breach, even one that is two years old, has turned this security feature into a potential vector for follow-up attacks.