According to a report by Motherboard, the cell phone numbers of nearly 500 million Facebook users are for sale via a Telegram bot. According to security researcher Alon Gal, who first highlighted the issue on his Twitter account, the data includes about 6 lakh Indian users.
According to Gal, the user running the bot is exploiting a Facebook vulnerability that was reported and also patched in 2020. However, the vulnerability allowed anyone to access the phone numbers associated with every Facebook account in every country. It was exploited to create a database of Facebook user accounts and their cell phone numbers, which is now being sold through the bot.
This is not the first time Facebook has reported an issue related to securing user data, especially regarding cell phone numbers. As early as 2019, it was reported that cell phone numbers of nearly 419 million Facebook users were found on an unprotected server, which the company admitted to be a problem and later fixed.
It’s worth noting that the data provided by the Telegram bot is from 2019. However, since many people don’t update phone numbers every year, the information sold is likely to be accurate. The security researcher has reported that users from over 100 countries are affected. In India over 6,162,450 Users are affected.
According to the motherboard, someone who has someone’s phone number can find their Facebook user ID using the Telegram bot. However, to access the information, they have to pay. The person who created the Telegram bot sells a phone number or Facebook ID for $ 20, which is around 1,460 rupees in India. The bot also sells Facebook users’ data in bulk. For 10,000 credits, the bot charges $ 5,000 (about 3.65,160 rupees), the report adds.
In early 2020, a vulnerability was exploited that made it possible to display the phone number associated with each Facebook account and created a database of the information that contains 533 million users in all countries.
It got heavily under-reported and today the database got a lot more worrying 1/2 pic.twitter.com/ryQ5HuF1Cm
– Alon Gal (Under the Break) (@UnderTheBreach) January 14, 2021
Gal notes that this is a serious privacy issue. He also said the problem was grossly underestimated when it was first highlighted and the database has become much more worrying today. He told Motherboard that the data can be used for “smearing and other deceitful activities by bad actors,” adding that Facebook should inform users of this issue.