Someone put their hands on a database full of phone numbers for Facebook users and is now selling that data using a Telegram bot, according to a report by Motherboard. The security researcher who found this vulnerability, Alon Gal, says the person who runs the bot claims to have information from 533 million users, who came from a Facebook vulnerability fixed in 2019.
With many databases, some technical skill is required to find any useful data. And there often has to be an interaction between the person with the database and the person trying to extract information from it, since the “owner” of the database will not just give someone all that valuable data. Making a Telegram bot, however, solves these two problems.
A few days ago, a user created a Telegram bot that allows users to consult the database for a low fee, allowing people to find the phone numbers linked to a large part of Facebook accounts.
This obviously has a big impact on privacy. pic.twitter.com/lM1omndDET
– Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
The bot allows someone to do two things: if they have a person’s Facebook user ID, they can find that person’s phone number, and if they have a person’s phone number, they can find their person ID Facebook user. While, of course, getting access to the information you’re looking for costs money – unlocking information, such as a phone number or Facebook ID, costs a credit, which the person behind the bot is selling for $ 20. mass available, with 10,000 credits sold for $ 5,000, according to the motherboard report.
The bot has been running since at least January 12, 2021, according to the images posted by Gal, but the data to which he provides access is from 2019. It’s relatively old, but people don’t change phone numbers often. It is especially embarrassing for Facebook, as it has historically collected phone numbers from people, including users who enable two-factor authentication.
At the moment it is not known whether Motherboard or security researchers contacted Telegram to try to take the bot down, but I hope it is something that can be repressed soon. This is not to paint a very optimistic picture, however – the data is still available on the web and has reappeared a few times since it was initially removed in 2019. I just hope that easy access will be stopped.