A user of a low-level cybercriminal forum is selling access to a database of phone numbers belonging to Facebook users, and conveniently letting customers look up those numbers by using an automated Telegram bot.
Although the data is several years old, it still presents a cybersecurity and privacy risk to those whose phone numbers may be exposed—one person advertising the service says it contains data on 500 million users. Facebook told Motherboard the data relates to a vulnerability the company fixed in August 2019.
"It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors," Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, and who first alerted Motherboard about the bot, said.
Do you work at Facebook, or know about another data breach? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Upon launch, the Telegram bot says "The bot helps to find out the cellular phone numbers of Facebook users," according to Motherboard's tests. The bot lets users enter either a phone number to receive the corresponding user's Facebook ID, or visa versa. The initial results from the bot are redacted, but users can buy credits to reveal the full phone number. One credit is $20, with prices stretching up to $5,000 for 10,000 credits. The bot claims to contain information on Facebook users from the U.S., Canada, the U.K., Australia, and 15 other countries.
Motherboard tested the bot and confirmed it contained the real phone number of a Facebook user who tries to keep this number private.
In 2019, researchers found it was possible to scrape Facebook users' phone numbers en masse. Gal obtained a sample of the bot's data and provided it to Motherboard. When Motherboard then shared that sample with Facebook so the company could comment, Facebook said the data contained Facebook IDs that were created prior to Facebook's fix of the contact vulnerability. Facebook said it also tested the bot itself against newer data, and that the bot did not return any results.
But the bot can still present a significant issue for people who may have linked their number to their Facebook account before August 2019. This should be cold comfort to many—for years before 2019, Facebook encouraged and at times required users to give it their phone number. It was also caught using the phone numbers people gave the company for two-factor authentication to target users with ads, meaning it was gathering phone numbers from its most security-minded users. By 2019, Facebook already had more than 2 billion users worldwide. And the ease of access for this new bot means that even unsophisticated cybercriminals or hackers can obtain the information.
"It is important that Facebook notify its users of this breach so they are less likely to fall victim to different hacking and social engineering attempts," Gal added.
Subscribe to our cybersecurity podcast CYBER, here.