The phone numbers of more than 500 million Facebook users are up for sale on messaging app Telegram, Motherboard reports.
The person who runs the Telegram bot that put the database up claims to have accessed the data more than two years ago, when a vulnerability that has since been patched by Facebook was still active.
Gaining access to a user’s phone number could enable hackers to connect that number to a person’s Facebook user ID. Access is being sold on a per-search basis. A single lookup is going for $20, but users can buy up to 10,000 search credits at a time for $5,000.
The person who discovered the security issue, Alon Gal, said the Telegram bot has been selling the data since at least January 12, 2021. The numbers in the database are from 2019, but it still poses a privacy risk for people who have the same phone number now.
Severely harmful to privacy
Motherboard found through its own test that the bot could successfully identify the number of a user who opted to keep their phone number private.
"It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors," Gal, co-founder and CTO of cybersecurity firm Hudson Rock, told Motherboard.
Facebook has reportedly confirmed the validity of the breach, but it emphasized that the database contains Facebook IDs that were created before it fixed the vulnerability in question. Facebook said it tested the bot against newer data and it didn't turn up any results.
Users with phone numbers tied to Facebook’s database prior to August 2019 should be on the lookout for any otherwise unexplainable increases in spam calls. Users may also be wise to cull any unnecessary personal data from their Facebook accounts.