Mobile phone numbers of nearly 500 million Facebook users are up for sale via a Telegram bot, according to a report by Motherboard. The data includes numbers of around 6 lakh Indian users, according to security researcher Alon Gal, who first highlighted the problem on his Twitter account.
According to Gal, the user who is running the bot is exploiting a Facebook vulnerability that was reported in 2020 and patched as well. But the vulnerability allowed anyone to access the phone numbers linked to every Facebook account across all countries. It was exploited to create a database of Facebook user accounts and their mobile phone numbers, which is now being sold via the bot.
This is not the first time an issue has been reported with regard to how Facebook secures user data, especially with regard to mobile phone numbers. It was reported back in 2019 that mobile phone numbers of nearly 419 million Facebook users were found on an unprotected server, which the company had admitted was a problem and had later fixed.
It is worth noting that the data provided by Telegram bot is from 2019. But given that plenty of people do not update phone numbers every year, the information being sold is likely accurate. The security researcher has reported that users from over 100 countries are affected. In India over 6,162,450 users are impacted by this.
According to Motherboard, if someone has a person’s phone number, then they can find their Facebook user-ID with the help of Telegram bot. But in order to access the information, they will be required to pay. The person who created the Telegram bot is selling a phone number or Facebook ID for $20, which is around Rs 1,460 in India. The bot is also selling Facebook users’ data in bulk. For 10,000 credits, the bot is charging $5,000 (around Rs 3,65,160), adds the report.
In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries.
It was severely under-reported and today the database became much more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
Gal notes this is a serious privacy concern. He also said the issue was severely under-reported when it was first highlighted and today the database has become much more worrisome. He told Motherboard, the data can be used for “smishing and other fraudulent activities by bad actors,” adding that Facebook should notify users of this problem.