Taken from a 2019 vulnerability
A Facebook vulnerability that was patched in 2019 has resulted in the phone numbers of over 500 million users going on sale via a dark web cybercrime forum. Interested buyers can look up information in the database using a Telegram bot.
Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, discovered the activity and alerted Motherboard. “It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors,” he said.
What makes this database particularly worrying is how easily anyone can search through the claimed 533 million entries. The person or people responsible have created a Telegram bot that lets anyone find a user’s phone number—providing they have their Facebook ID. Alternatively, they can find their Facebook ID from just a phone number.
In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries.
It was severely under-reported and today the database became much more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm
— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
The information doesn’t come for free, of course. Each entry is unlocked after handing over a “credit,” which cost $20. These come with a bulk discount: 10,000 credits can be bought for $5,000.
The bot has been active since at least January 12, 2021. And while the data only goes up to 2019—when Facebook fixed its insecure server—many people keep the same phone number for years.
At the time of the original security breach, it was reported that some of the phone numbers belonged to celebrities.
“It is important that Facebook notify its users of this breach so they are less likely to fall victim to different hacking and social engineering attempts,” Gal added.
This isn’t the first instance of Facebook making people wish they never handed over so many details. In 2018, it was discovered that the social media giant was using two-factor authentication phone numbers to target ads.
Image credit Ink Drop