Facebook users beware, according to a report by MotherBoard, there’s a bot on Telegram that lets hackers easily look up your phone number. One person advertising the service says it contains data on 500 million users.

Facebook Users’ Numbers Up For Sale

A user of a low-level cybercriminal forum is selling access to a database of phone numbers belonging to Facebook users.  Important thing to note is that they are conveniently letting customers lookup those numbers by using an automated Telegram bot.

The security researcher who found this vulnerability, Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock says that the person who runs the bot claims to have the information of 533 million users. It all comes from a Facebook vulnerability that was patched in 2019.

Start off your week with tech news recap and trending conversations in your inbox

Enter valid email-id

Subscribe

I prefer it on Telegram

In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries.

It was severely under-reported and today the database became much more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm

— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021

He continues to note that,

A few days ago, a user created a Telegram bot allowing users to query the database for a low fee. This is enabling people to find the phone numbers linked to a very large portion of Facebook accounts.

How it works

1. Upon launch, the Telegram bot says “The bot helps to find out the cellular phone numbers of Facebook users
2. The bot lets users enter either a phone number to receive the corresponding user’s Facebook ID or visa versa
3. Users can then buy credits to reveal the full phone number. One credit is about KES 2000, with prices stretching up to KES 500,000 for 10,000 credits.

The bot claims to contain information on Facebook users from the U.S., Canada, the U.K., Australia, and 15 other countries. The Motherboard tests confirm that it contains the real phone number of a Facebook user who tries to keep their number private.

The bot has been running since at least January 12, 2021, but the data it provides access to is from 2019. That may seem like 2 years worth of old data but remember that not many people change their numbers often.

“It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors,” Alon said.

According to our tests, It does not seem to recognize Kenyan numbers but we’ll keep testing. Here’s the list of countries affected.

Full list of affected users by country pic.twitter.com/Wrrzd0WyxE

— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021