Someone has grabbed his database full of Facebook users’ phone numbers, and is now selling that data using the Telegram bot, according to a report by Mamboard. Security researcher who discovered this vulnerability, Alon Gal, says the person running the bot claims to have 533 million users’ information, which came from a Facebook vulnerability patched in 2019.
With many databases, any useful data requires some technical skill. And often the person with the database has to interact with the person trying to get information out of it, because the “owner” of the database is not going to give all that valuable data other. However, making a Telegram bot solves both of these issues.
A few days ago a bot user created a Telegram allowing users to query the database for a low fee, enabling people to find the phone numbers associated with a very large proportion of Facebook accounts.
This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET
– Alon Gal (Under the Break) (@UnderTheBreach) January 14, 2021
The bot allows someone to do two things: if they have an individual’s Facebook user ID, they can find that person’s phone number, and if they have an individual’s phone number they can find their Facebook user ID. Although, of course, accessing the information you’re looking for costs money – unlocking a piece of information, such as a phone number or Facebook ID, costs one credit, which the person behind bot sells for $ 20. Bulk pricing is also available, with 10,000 credits selling for $ 5,000, according to a Motherboard report.
The bot has been running since at least January 12, 2021, according to screenshots posted by Gal, but the data it provides access to is from 2019. That’s relatively old, but people aren’t changes phone numbers frequently. It’s particularly embarrassing for Facebook as it has historically collected phone numbers from people including users who turned on two-factor authentication.
At present it is unknown if Mamboard or security researchers have contacted Telegram to try to get rid of the bot, but hopefully it’s something that can be clamped down soon. That’s not to paint an overly rosy picture, though – the data is still out there on the web, and is being resurfaced a couple of times since it was first scrapped in 2019. I do n hope that the easy access is cut off.