Mobile phone numbers of nearly 500 million users is available for sale through a Telegram bot. The data is from 2019, but since most people don’t change numbers so often, they are still at risk.
The bot allows Telegram users to look up the mobile phone number corresponding to a Facebook ID and vice versa. The results from the search are grayed out at first and are only revealed when paid for using credits. A credit goes for $20 and packages go up to $5,000 for 10,000 credits.
“It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors,” Alon Gal, a security researcher who first reported the data leak, told Vice.
Facebook has said the vulnerability that was exploited was fixed in August 2019.
In 2019, Forbes
magazine reported that it was possible to collect mobile phone numbers from
Facebook using a script. Facebook said the vulnerability had been fixed and
that no new data could be extracted using the same script.
Facebook has a history of poorly managing its user data. Indian Express reported in September 2019 that an unprotected server was found to contain phone numbers of 419 million Facebook IDs of users based in the US, the UK and Vietnam.
This leak was linked to a Facebook feature that allowed users to find one another using their mobile phone numbers. The feature was retracted weeks after the Cambridge Analytica scandal.