A Telegram Bot Is Giving Away the Phone Numbers of 500 Million Facebook Users

  • Low-level actors have set up an automated service that lets people correlate Facebook IDs with phone numbers.
  • This can be used for smishing, spamming, or for bypassing 2FA and taking over valuable accounts.
  • The operation affects roughly one out of five Facebook users, but the platform has not sent out any notifications.

A cybercriminal has set up a Telegram bot that allows anyone who pays to access the service to look up the phone numbers of approximately 500 million Facebook users. While this is generally considered a low-level activity, it can still pose risks to the people who have their details in the Telegram bot's database. Facebook has confirmed the data's validity and attributes its scrapping to a vulnerability they fixed back in August 2019. That said, the data can be as recent as the fix date.

Typically, the users who pay to access the service will use the cellular phone numbers to launch smishing campaigns or send numerous spam messages. The most sophisticated actors will go for 2FA bypassing through SIM swap attacks, so knowing the number used by a particular user would be key information. Users who openly boast their crypto-investments on Facebook should be the ones to worry about this dire possibility.

The cost to access the service is variable, starting from $20 for a single look-up action and going up to $5,000 for 10,000 searches. As it can be easily deduced, those who are willing to pay these amounts see it as an investment, so they have a clear plan on how they’ll take advantage of their access to this data.

Source: Vice

Facebook hasn’t sent any notifications to the users who may be affected by this data leak, so people have not been warned of the increased likelihood of receiving smishing SMS. The bot claims to be holding Facebook users' data based in the United States, United Kingdom, Canada, Australia, and another 15 countries, so the pool is pretty large.

Facebook has 2.7 billion users, so this exposure corresponds to about 18.5% of the total. That should be enough to guarantee the distribution of notices, but we’re not seeing it for the moment.

If you are using the same phone number for 2FA on critical platforms like the one you gave Facebook when you created your account, now is the time to buy a new number and switch to that one. Remember, the ultimate security practice is to avoid sharing any real information about you on the internet, so don’t use your regular phone number for two-factor authentication. Those who have practiced this have nothing to fear from the Telegram bot now.

How to Watch Fantasy Football League Online From Anywhere
The wait is almost over, and the reboot of the famous Fantasy Football League show is finally upon us. The show that...
How to Watch Welcome to Flatch Season 2 Online From Anywhere
Welcome to Flatch is landing a new season soon, and we are happy to tell you it's super easy to stream online,...
How to Watch CSI: Vegas Season 2 Online From Anywhere
There is great excitement among CSI fans worldwide as CSI: Vegas Season 2 is finally set to premiere soon. After the success...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari