Stop me if you’ve heard this one before. Millions of Facebook users’ personal information is being sold on the internet without their permission. Oh, right, we’ve all heard this before. Several times.
According to Motherboard, approximately 533 million phone numbers belonging to users of Facebook are currently available for sale through an automated Telegram bot database that allows anyone to enter the Facebook user’s ID, pay some “credits” and be provided with the user’s unredacted phone number.
The data is reportedly a couple of years old, but that doesn’t make it any less of a security and privacy failure on Facebook’s end. Millions of these phone numbers, thought to be hidden by users, will obviously still be accurate and in use. Throw in the fact that Facebook uses phone numbers as part of its two-factor authentication for logging into accounts and it’s even more troubling.
“It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors,” said Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock – the person who first alerted Motherboard about the bot.
The database also will allow the reverse, letting people find someone’s Facebook user ID if they have that person’s phone number.
In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries.— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
It was severely under-reported and today the database became much more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm
Upon launch, the Telegram bot says “The bot helps to find out the cellular phone numbers of Facebook users,” according to Motherboard’s tests. The bot lets users enter either a phone number to receive the corresponding user’s Facebook ID, or visa versa. The initial results from the bot are redacted, but users can buy credits to reveal the full phone number. One credit is $20, with prices stretching up to $5,000 for 10,000 credits. The bot claims to contain information on Facebook users from the U.S., Canada, the U.K., Australia, and 15 other countries.
Motherboard tested the bot and confirmed it contained the real phone number of a Facebook user who tries to keep this number private.
The bot has been running since at least January 12, 2021, according to Gal.
Few days ago a user created a Telegram bot allowing users to query the database for a low fee, enabling people to find the phone numbers linked to a very large portion of Facebook accounts.— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET
Facebook, who recently came to a secret settlement regarding the Cambridge Analytica data that was leaked a few years back, informed Motherboard that the data being sold relates to a vulnerability the company claims it fixed in August of 2019.
Facebook added that the data being sold contains Facebook IDs that were created prior to their 2019 fix and claimed that it tested the bot against newer data and it did not return any results. All of which means basically nothing as Facebook already had over 2 billion users by the time the vulnerability was fixed.
It’s also little consolation to those whose phone numbers are still being sold online without their permission almost two years later.