A database of phone numbers belonging to a reported 533 million Facebook users is being offered around by a Telegram bot. The secure messaging app is being misused to allow individuals to acquire sensitive information without the owner’s consent, and without even having to interact with the unnamed individual that is running the bot.
According to reports, the Facebook information being offered around by the Telegram bot stems from a 2019 vulnerability that has since been patched. If an individual knows a person’s Facebook ID, they can use the bot to acquire the corresponding telephone number. Conversely, if an individual knows someone’s phone number, the bot can be used to find out that person’s Facebook ID.
The Telegram bot is not in the business of giving away sensitive information for free, however. Unlocking a single piece of information costs one credit, which will set you back $20. Bulk discounts are available, with 10,000 credits on offer for $5,000.
Data for sale
Reports of the Telegram bot started emerging a couple of weeks ago, which is a pretty embarrassing development for Facebook given that it usually asks for a person’s phone number so it can enable two-factor authentication. A data breach, even one that is two years old, has turned this security feature into a potential vector for follow-up attacks.
It is not clear who is behind the Telegram bot, but the messaging app should probably get the bot taken down as soon as possible. The more opportunity it has to sell sensitive information, the greater the likelihood of affected Facebook users being targeted by phishing attempts and other fraudulent activity.
Although disabling the Telegram bot will not remove the data stemming from the 2019 Facebook breach from the web, it will at least shut down one avenue of accessing it.
Via The Verge