An online tool lets customers pay to unmask the phone numbers of Facebook users that liked a specific Page, and the underlying dataset appears to be separate from the 500 million account database that made headlines this week, signifying another data breach or large scale scraping of Facebook users' data, Motherboard has found.
Motherboard verified the tool, which comes in the form of a bot on the social network and messaging platform Telegram, outputs accurate phone numbers of Facebook users that aren't included in the dataset of 500 million users. The data also appears to be different to another Telegram bot outputting Facebook phone numbers that Motherboard first reported on in January.
"Hello, can you tell me how you got my number?" one person included in the dataset asked Motherboard when reached for comment. "Omg, this is insane," they added. Another person returned Motherboard's call and, after confirming their name, said "If you have my number then yes it seems the data is accurate."
Do you work at Facebook, or know about another data breach? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
A description for the bot reads "The bot give [sic] out the phone numbers of users who have liked the Facebook page."
To use the bot, customers need to first identify the unique identification code of the Facebook Page they want to get phone numbers from, be that a band, restaurant, or any other sort of Page. This is possible with at least one free to use website. From there, customers enter that code into the bot, which provides a cost of the data in U.S. dollars and the option to proceed with the purchase, according to Motherboard's tests. A Page with tens of thousands of likes from Facebook users can cost a few hundred dollars, the bot shows. The data for Motherboard's own Page would return 134,803 results and cost $539, for example.
The bot offers the data for free if the Page has under 100 likes. Motherboard provided the bot with several Pages with a low user count and obtained the corresponding data. The bot provides a simple spreadsheet file with the Facebook user's full name, phone number, and gender. The bot does not necessarily provide data on all users who liked the Page; for a Page with around 50 likes, the bot provided a spreadsheet of under 10 users.
Motherboard took names in the spreadsheet, found the person's corresponding Facebook profile, and verified that they did like the specific Page (at the time of writing, although Facebook Pages shows how many users liked them, it is not possible to directly see who the users are unless they are already your Facebook Friends). None of the Facebook profiles Motherboard viewed publicly displayed their phone number at the time of writing. But the phone numbers provided by the bot appear accurate. In one case, Motherboard added the number as a contact in a phone, and on WhatsApp saw a profile image identical to the one on the users' Facebook account. The data appears to be historical: when Motherboard used one of our own Facebook accounts with a linked phone number to like multiple Pages, our phone number did not appear in the bot's results. The bot does not return data on all Pages, according to Motherboard's tests.
Motherboard then took phone numbers from the Telegram bot and entered them into Have I Been Pwned, a breach notification service run by security researcher Troy Hunt, who has uploaded the database of 500 million Facebook users into the service. None of the numbers Motherboard tested appeared in that dataset, according to Have I Been Pwned tests.
Motherboard also shared the data obtained from the bot with Alon Gal, co-founder and CTO of cybersecurity intelligence firm Hudson Rock who first tweeted about the recent 500m dataset. He said that none of the numbers obtained from the bot appear in the 500m dataset.
Gal said he also used Facebook's forgotten password mechanism to show that the numbers were linked to real Facebook accounts. In some cases after entering the phone number into the forgotten password field, Facebook returned a redacted version of the name of the user. This corresponded to the spreadsheets obtained by Motherboard from the bot: "T… S…" relates to a name in the spreadsheets beginning with those letters, Motherboard found when replicating that test.
When Motherboard reported on a separate Telegram bot that let customers input a user ID and receive the Facebook user's phone number, we uncovered the phone number of a user who deliberately tries to keep their number private. That number did not appear in tests with the new Telegram bot either. Gal said he also checked the new bot's data with another previous data breach and only one number out of all those tested overlapped.
"What threat actors would want to do with it is extract specific niche pages and have them sold as "leads'," Gal said when Motherboard showed him the new bot. "For instance, extract the 'Bitcoin UK' group and convert them to a list of phone numbers read to be sold as leads to companies, quite a lucrative business."
Facebook did not immediately respond to a request for comment. The 500 million dataset was built by attackers exploiting an issue with Facebook's contact import feature, Facebook has said. Facebook has deflected responsibility for that data dump, writing in a blog post "While we addressed the issue identified in 2019, it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly."
Telegram did not immediately respond to a request for comment.
Jason Koebler contributed reporting to this piece.
Subscribe to our cybersecurity podcast CYBER, here.