Someone has obtained a database full of Facebook users’ phone numbers, and is now selling that data with a Telegram bot, according to Report from Motherboard. The security researcher who discovered this vulnerability, Alon Gal, says the person who manages the bot claims to have information on 533 million users, which came from a Facebook vulnerability that was patched in 2019.
With so many databases, some degree of technical skill is required to find any useful data. Often there must be an interaction between the person who owns the database and the person trying to obtain information from it, because the “owner” of the database will not give another person all that valuable data. However, making a Telegram bot solves both of these problems.
A few days ago, a user created a Telegram bot allowing users to query the database for a low fee, allowing people to find phone numbers associated with a very large portion of Facebook accounts.
This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET
– Alon Gal (UnderTheBreach) January 14, 2021
A bot allows a person to do two things: if it has a Facebook user ID, it can find that person’s phone number, and if it has someone’s phone number, it can find their Facebook user ID. Of course, though, accessing the information you’re looking for costs money – unlocking a piece of information, like a phone number or Facebook ID, costs one credit, which the person behind the bot sells for $ 20. There are also bundled pricing available, with 10,000 credits selling for $ 5,000, according to Motherboard.
The robot has been running since at least January 12, 2021, according to the footage published by Gal, but the data it provides access to date back to 2019. This is relatively old, but people don’t change phone numbers often. It’s especially embarrassing for Facebook because it has historically collected phone numbers from people, including users Two-factor authentication is turned on.
At the moment, it is not known if Motherboard Or security researchers contacted Telegram to try to remove the bot, but hopefully this is something that can be restricted soon. That doesn’t paint a very rosy picture, although the data is still there on the web, and it has reappeared a number of times since it was initially removed in 2019. I just hope the easy access gets cut off.