Someone has gotten their hands on a database full of phone numbers of Facebook users, and according to a post by Motherboard, is now selling the data using a Telegram bot. Alon Gal, the security researcher who discovered this vulnerability, says the individual who operates the bot claims to have 533 million users’ data, which came from a 2019 patched Facebook vulnerability.
For many databases, certain technological expertise are required to find some useful data. And there always needs to be an interaction between the person with the database and the person seeking to get information out of it, since the “owner” of the database won’t simply give all the important data to someone else. However, creating a Telegram bot solves all of these issues.
The bot helps someone to do two things: if they have the Facebook user ID of a person, they can find the phone number of that person, and if they have the phone number of a person, they can find their Facebook user ID. Though, of course, it costs money to really get access to the details you’re searching for, unlocking a piece of information, such as a phone number or Facebook ID, costs one credit that the person behind the bot sells for $20. There’s also bulk pricing available, with 10,000 credits selling for $5,000, according to the Motherboard report.
According to screenshots posted by Gal, the bot has been working since at least January 12, 2021, but the data to which it provides access is from 2019. That’s pretty old, but people often don’t change their phone numbers. For Facebook, it is extremely humiliating because it has historically collected telephone numbers from individuals, even users who were turned on two-factor authentication.
It is unclear at the moment whether Telegram was contacted by Motherboard or security researchers to try to get the bot down, but hopefully it’s something that can be clamped down soon.