Data of 533mn Facebook users being sold by means of Telegram bot
In new trouble for Facebook, phone numbers of 533 million users are currently being sold by means of a bot on encrypted messaging platform Telegram, which came from a Facebook vulnerability that was fixed by the social network in 2019.
According to a report on Motherboard, the individual offering the database full of Facebook users' phone numbers (it's $20 per number) lets customers lookup those numbers by using an automated Telegram bot.
Alon Gal, co-founder, and CTO of cybersecurity firm Hudson Rock first cautioned about the Telegram bot selling Facebook users' information.
"It is exceptionally stressing to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing (the false practice of sending text messages) and other false exercises by awful actors," Gal was cited as saying in the report that came out on Monday.
In spite of the fact that data may be a bit old but it still presents a cybersecurity and privacy risk to those whose phone numbers may be exposed.
"Facebook told Motherboard the data information relates to a vulnerability the company fixed in August 2019".
The Telegram bot lets users enter either a phone number to get the corresponding user's Facebook ID or vice versa.
"The initial results from the bot are redacted, but users can buy credits to reveal the full phone number. One credit is $20, with costs stretching up to $5,000 for 10,000 credits," the report mentioned.
The bot claims to contain information on Facebook users from the US, Canada, the UK, Australia, and 15 other countries. The Telegram bot has been running since at least January 12.
Facebook or Telegram was yet to officially comment on the report. "It is important that Facebook inform its users of this breach, so they are less likely to fall casualty to distinctive hacking and social engineering attempts," Gal said.
In December's last year, reports surfaced that a bug exposed the personal information like mail addresses and birthdays of Instagram users.
Saugat Pokharel, an experienced bug seeker from Nepal, found the bug. The attack used Facebook's Business Suite tool, accessible to any Facebook business account, reported The Verge.
According to a Facebook representative, the bug was only accessible for a short period of time amid a small test.
"A researcher reported an issue wherein case someone was a part of a small test we ran in October for trade accounts, personal data of the individual they were messaging could have been revealed," the company representative had said.
In November, Facebook fixed a basic bug in its Messenger app that could have permitted hackers to connect audio calls without the knowledge or approval from the app user. The vulnerability could have been used to spy on Facebook users through Android phones.