Hackers can easily look up your phone number from Facebook using cheap bot
The database comes from a breach in 2019 where nearly 500 million users had their accounts scraped
Sign up to our free weekly IndyTech newsletter delivered straight to your inbox
Sign up to our free IndyTech newsletter
A database of phone numbers belonging to Facebook users is being sold on a cybercriminal forum, with customers looking up numbers using a Telegram bot.
One person advertising the phone numbers says it contains data on nearly 500 million users, although the information is several years old.
In 2019, a security researcher found 419 million records on an unsecured server, meaning no password was needed to access them.
A total of 18 million were from users in the UK, while around 133 million were from American accounts.
When the bot – which uses the messaging service Telegram, which recently saw an influx of users - is launched, it says: "The bot helps to find out the cellular phone numbers of Facebook users”, according to Motherboard.
Users can enter a phone number to receive a user’s Facebook identification, for profiles in the UK, US, Canada, Australia, and 15 other countries. This also works in reverse – a Facebook ID can be used to harvest a users’ phone number.
While the initial results from the bot are hidden, users can pay to reveal the full phone number. It costs $20 per phone number unlocked, with prices reaching $5,000 for 10,000 numbers.
"It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors," said Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, who alerted Motherboard to the breach.
Gal obtained a sample of the bot’s data, which Motherboard then shared with Facebook.
Facebook told Motherboard the data relates to a vulnerability the social media company patched in August 2019, but that the data had been scraped before the company implemented its fix.
When tested against new data the bot did not return any results, but is still concerning for people who linked their number to Facebook before August 2019 – which Facebook encouraged and at times required, Motherboard reports.
"It is important that Facebook notify its users of this breach so they are less likely to fall victim to different hacking and social engineering attempts," Gal told Motherboard.
Facebook did not respond to a request for comment from The Independent before publication.
Subscribe to Independent Premium to bookmark this article
Want to bookmark your favourite articles and stories to read or reference later? Start your Independent Premium subscription today.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies