- A hacker with access to a database of over 500 million Facebook profiles uses a Telegram bot to reveal a Facebook users’ phone number or the Facebook ID associated with a known phone number.
- The hack took advantage of a security vulnerability from 2019 that allowed hackers to link Facebook IDs to their corresponding phone numbers.
- Facebook patched the issue back in 2019, but the Telegram bot can still associate Facebook profiles to phone numbers from that old database.
Facebook has more than 2.74 billion monthly active users as of late September 2020, and a new hack impacts the privacy of nearly a fifth of them. The hack itself isn’t new, as the security breach dates back to August 2019 when it was discovered that anyone could discover the phone number associated with a Facebook profile, or vice-versa. The vulnerability was fixed, but it just resurfaced in the most disturbing way. Somebody monetized a database of over 500 million Facebook users, and it’s now selling phone numbers for $20 via a Telegram bot. Buying in bulk will get you a much better deal.
Customers can use a person’s phone number via the automated Telegram bot, Motherboard reports.
“The bot helps to find out the cellular phone numbers of Facebook users,” the bot says upon launch. Users can then enter a phone number to receive the corresponding Facebook ID, or the Facebook profile to obtain the phone number associated with it. The bot will show you a redacted result if results are available. You’ll need a credit to see the information, which sells for $20. Prices go up to $5,000, which gets you access to 10,000 credits. The database includes Facebook users from the US, Canada, the UK, Australia, and 15 other countries.
Few days ago a user created a Telegram bot allowing users to query the database for a low fee, enabling people to find the phone numbers linked to a very large portion of Facebook accounts.
This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
Motherboard says it tested the bot and obtained the real phone number of a Facebook user who tries to keep that number private. Facebook told the blog that the data relates to the vulnerability fixed in August 2019. The database contains old Facebook IDs that were created before the fix. Facebook tested the bot against the newer data and said the bot did not return any results. However, if the bot can still pair old Facebook IDs with phone numbers, this could be a huge problem for users who may be unwitting victims of the 2019 hack.
Malicious individuals could take advantage of the bot to grab data in bulk for additional hacks that require access to phone numbers. Others may target specific users, and this could be dangerous to some people. The only way to fix the problem is to change the phone number so that you won’t risk having a hacker, an abusive ex, or a stalker link your Facebook profile with your phone number or vice-versa.
It’s also a good idea not to share your phone number with social networks, especially Facebook. The company abused phone numbers in the past, actively pushing users to share their phone numbers with the service. Facebook plans to grab more user data from WhatsApp in an upcoming update, which could include the phone numbers of WhatsApp users.
Facebook might say that it patched the 2019 security issues, but the harm was still done. That massive database is still circulating because of a Facebook security issue.
“It is important that Facebook notify its users of this breach, so they are less likely to fall victim to different hacking and social engineering attempts,” cybersecurity firm Hudson Rock’s CTO Alon Gal told Motherboard. The exec was the first to notify the blog about the Telegram bot.