In a fresh trouble for Facebook, phone numbers of 533 million users are currently being sold via a bot on encrypted messaging platform Telegram, which came from a Facebook vulnerability that was patched by the social network in 2019.
According to a report in Motherboard, the person selling the database full of Facebook users' phone numbers (it's $20 per number) lets customers lookup those numbers by using an automated Telegram bot.
Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock first alerted about the Telegram bot selling Facebook users' information.
"It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing (the fraudulent practice of sending text messages) and other fraudulent activities by bad actors," Gal was quoted as saying in the report that came out on Monday.
Although data is a bit old but it still presents a cybersecurity and privacy risk to those whose phone numbers may be exposed.
"Facebook told Motherboard the data relates to a vulnerability the company fixed in August 2019".
The Telegram bot lets users enter either a phone number to receive the corresponding user's Facebook ID, or visa versa.
"The initial results from the bot are redacted, but users can buy credits to reveal the full phone number. One credit is $20, with prices stretching up to $5,000 for 10,000 credits," the report mentioned.
The bot claims to contain information on Facebook users from the US, Canada, the UK, Australia and 15 other countries. The Telegram bot has been running since at least January 12.
Facebook or Telegram were yet to officially comment on the report. "It is important that Facebook notify its users of this breach, so they are less likely to fall victim to different hacking and social engineering attempts," Gal said.
In December last year, reports surfaced that a bug exposed the personal information like email addresses and birthdays of Instagram users.
Saugat Pokharel, an experienced bug hunter from Nepal, discovered the bug. The attack used Facebook's Business Suite tool, available to any Facebook business account, reported The Verge.
According to a Facebook spokesperson, the bug was only accessible for a short period of time during a small test.
"A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed," the company spokesperson had said.
In November, Facebook fixed a critical bug in its Messenger app that could have allowed hackers to connect audio calls without the knowledge or approval from the app user. The vulnerability could have been used to spy on Facebook users via Android phones.