Phone numbers of 533 million users are currently being sold by a bot on the Telegram Encrypted Messaging Site, a Facebook flaw that was fixed by the social network in 2019.
According to a report in Motherboard, an individual selling a database full of Facebook users’ phone numbers ($20 per number) lets customers search those numbers using an automated Telegram bot.
Alon Gal, co-founder and CTO of the cybersecurity company Hudson Rock, first warned the Telegram bot to sell details to Facebook users.
“It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing (the fraudulent practice of sending text messages) and other fraudulent activities by bad actors,” Gal was quoted as saying in the report that came out on Monday.
Although the data is a little old, it still poses cybersecurity and privacy risk to anyone whose phone numbers might be exposed to it.
“Facebook told Motherboard the data relates to a vulnerability the company fixed in August 2019”.
The Telegram Bot allows users to enter either a phone number to obtain a Facebook ID from the corresponding user or a visa versa.
“The initial results from the bot are redacted, but users can buy credits to reveal the full phone number. One credit is $20, with prices stretching up to $5,000 for 10,000 credits,” the report mentioned.
The bot appears to contain information on Facebook users from the United States, Canada, the United Kingdom, Australia and 15 other nations.
The Telegram Bot has been running since 12 January at least.
Facebook or Telegram is yet to make an official statement on the report.
“It is important that Facebook notify its users of this breach, so they are less likely to fall victim to different hacking and social engineering attempts,” Gal said.
In December last year, reports emerged that a bug leaked personal details such as email addresses and Instagram users’ birthdays.
The bug was discovered by Saugat Pokharel, an experienced bug hunter from Nepal. The attack used the Facebook Business Suite tool, which was available on any Facebook business account, The Verge reported.
According to a Facebook spokesperson, the bug was only available for a brief period of time during a limited test.
“A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed,” the company spokesperson had said.
In November, Facebook patched a critical bug in its Messenger app that could have allowed hackers to attach audio calls without the knowledge or permission of the app user.
The vulnerability may have been used to spy on Facebook users on Android phones.