According to the security researcher, the information was leaked due to a vulnerability found in Facebook in 2019.
Alon Gal, a security researcher, on his Twitter handle recently said a user created a Telegram bot that allowed users to access the database carrying the numbers of millions of Facebook users.
Stating that the user’s act has a huge impact on the privacy of Facebook users, Gal tweeted, “Few days ago a user created a Telegram bot allowing users to query the database for a low fee, enabling people to find the phone numbers linked to a very large portion of Facebook accounts. This obviously has a huge impact on privacy.”
He further revealed, “In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries. It was severely under-reported and today the database became much more worrisome.”
In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries.
It was severely under-reported and today the database became much more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
The bot Telegram lets users find the phone number of another user if they have that person’s Facebook ID and if the user has the phone number of the person, he can get his Facebook ID, says a report by Motherboard.
However, for accessing such sensitive information, the users will have to pay the person behind the bot 20 dollars.
The bot is also selling information in bulk. For 10,000 credits the bot is charging 5,000 dollars, the report said.
“It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors,” the Motherboard report quoted Gal as saying.
“It is important that Facebook notify its users of this breach so they are less likely to fall victim to different hacking and social engineering attempts,” Gal added.
As per the screenshots shared by Gal, it can be seen that the bot has been active since January 12, 2021 but it has been alleged that it carries data of users’ from 2019.