Someone has gotten their hands on a database full of Facebook users’ phone numbers, and is now selling that data using a Telegram bot, according to a report by Motherboard. The security researcher who found this vulnerability, Alon Gal, says that the person who runs the bot claims to have the information of 533 million users, which came from a Facebook vulnerability that was patched in 2019.
With many databases, some amount of technical skill is required to find any useful data. And there often has to be an interaction between the person with the database and the person trying to get information out of it, as the database’s “owner” isn’t going to just give someone else all that valuable data. Making a Telegram bot, however, solves both of these issues.
Few days ago a user created a Telegram bot allowing users to query the database for a low fee, enabling people to find the phone numbers linked to a very large portion of Facebook accounts.— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET
The bot allows someone to do two things: if they have a person’s Facebook user ID, they can find that person’s phone number, and if they have a person’s phone number they can find their Facebook user ID. Though, of course, actually getting access to the information you're looking for costs money — unlocking a piece of information, like a phone number or Facebook ID, costs one credit, which the person behind the bot is selling for $20. There’s also bulk pricing available, with 10,000 credits selling for $5,000, according to the Motherboard report.
The bot has been running since at least January 12, 2021, according to screenshots posted by Gal, but the data it provides access to is from 2019. That’s relatively old, but people don’t change phone numbers that often. It’s especially embarrassing for Facebook as it historically collected phone numbers from people including users who were turning on two-factor authentication.
At the moment it’s unknown if Motherboard or security researchers have contacted Telegram to try to get the bot taken down, but hopefully it’s something that can be clamped down on soon. That’s not to paint too rosy a picture, though — the data is still out there on the web, and it’s resurfaced a couple of times since it was initially scraped in 2019. I’m just hoping that the easy access will be cut off.