NEW DEHLI: Someone has gotten their hands on a database full of Facebook users’ phone numbers, & is now selling that data using a Telegram bot, according to a report by Motherboard. The security researcher who found this vulnerability, Alon Gal, says that the person who runs the bot claims to have the data of 533 million users, which came from a Facebook vulnerability that was patched in 2019.
With many databases, some amount of technical skill is required to find any useful data. & there often has to be an interaction between the person with the database & the person trying to get data out of it, as the database’s “owner” isn’t going to just give someone else all that valuable data. Making a Telegram bot, however, solves both of these issues.
Few days ago a user created a Telegram bot allowing users to query the database for a low fee, enabling people to find the phone numbers linked to a very large portion of Facebook accounts.
This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
The bot allows someone to do two things: if they have a person’s Facebook user ID, they can find that person’s phone number, & if they have a person’s phone number they can find their Facebook user ID. Though, of course, actually getting access to the data you’re looking for costs money — unlocking a piece of data, like a phone number or Facebook ID, costs one credit, which the person behind the bot is selling for $20. There’s also bulk pricing available, with 10,000 credits selling for $5,000, according to the Motherboard report.
The bot has been running since at least January 12, 2021, according to screenshots posted by Gal, but the data it provides access to is from 2019. That’s relatively old, but people don’t change phone numbers that often. It’s especially embarrassing for Facebook as it historically collected phone numbers from people as well as users who were turning on two-factor authentication.
At the moment it’s unknown if Motherboard or security researchers have contacted Telegram to try to get the bot taken down, but hopefully it’s something that can be clamped down on soon. That’s not to paint too rosy a picture, though — the data is still out there on the web, & it’s resurfaced a couple of times since was initially scraped in 2019. I’m just hoping that the easy access will be cut off.