A cybercriminal has created a bot that’s selling access to millions of Facebook users’ cellphone numbers through the Telegram messaging app, a new report says.
The bot pulls the info from a massive database of phone numbers taken from Facebook before the social network patched a security hole in 2019, according to Motherboard.
Anyone who pulls up the bot’s Telegram profile can enter the Facebook ID of the person they’re looking for and the bot will fetch the corresponding phone number, the outlet reported Monday. It reportedly works the other way, too — enter a phone number and the bot will retrieve the Facebook ID that matches it.
But there’s a catch — the bot initially hides most of the phone number and forces users to pay to see the the whole thing, according to the report. Prices reportedly run from $20 for a single “credit” to $5,000 for 10,000 credits.
The unidentified person who created the bot claims it can access phone numbers for 533 million Facebook users in dozens of countries, according to Alon Gal of the cybersecurity firm Hudson Rock, who spotted it earlier this month.
“It is important that Facebook notify its users of this breach so they are less likely to fall victim to different hacking and social engineering attempts,” Gal told Motherboard.
Facebook said the data stems from a previous security problem that allowed cyberattackers to match phone numbers to user profiles using a sophisticated software code.
“This is old data,” a Facebook spokesperson told The Post in an email. “We found and fixed this issue in August 2019.”
The Telegram bot didn’t return any matches when Facebook tried to check it against newer user data, the tech giant added.
But that doesn’t help people who linked their phone numbers to their Facebook accounts before the issue was fixed, Motherboard noted. The social network already had more than 1.6 billion daily active users in September 2019.
It’s unclear whether Telegram will take down the bot. A Telegram representative did not immediately respond to a request for comment Tuesday.