Hackers can easily look up your phone number from Facebook using cheap bot

The database comes from a breach in 2019 where nearly 500 million users had their accounts scraped

Adam Smith
Monday 25 January 2021 12:26 EST
Comments
(Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A database of phone numbers belonging to Facebook users is being sold on a cybercriminal forum, with customers looking up numbers using a Telegram bot.

One person advertising the phone numbers says it contains data on nearly 500 million users, although the information is several years old.

In 2019, a security researcher found 419 million records on an unsecured server, meaning no password was needed to access them.

A total of 18 million were from users in the UK, while around 133 million were from American accounts.   

When the bot – which uses the messaging service Telegram, which recently saw an influx of users - is launched, it says: "The bot helps to find out the cellular phone numbers of Facebook users”, according to Motherboard.

Users can enter a phone number to receive a user’s Facebook identification, for profiles in the UK, US, Canada, Australia, and 15 other countries. This also works in reverse – a Facebook ID can be used to harvest a users’ phone number.

While the initial results from the bot are hidden, users can pay to reveal the full phone number. It costs $20 per phone number unlocked, with prices reaching $5,000 for 10,000 numbers.

"It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors," said Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, who alerted Motherboard to the breach.

Gal obtained a sample of the bot’s data, which Motherboard then shared with Facebook.  

Facebook told Motherboard the data relates to a vulnerability the social media company patched in August 2019, but that the data had been scraped before the company implemented its fix.

When tested against new data the bot did not return any results, but is still concerning for people who linked their number to Facebook before August 2019 – which Facebook encouraged and at times required, Motherboard reports.

"It is important that Facebook notify its users of this breach so they are less likely to fall victim to different hacking and social engineering attempts," Gal told Motherboard.  

Facebook did not respond to a request for comment from The Independent before publication.  

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in