Associating the word ‘vulnerability’ with the social network Facebook is no longer surprising at this point, but every time it happens it is still something serious. And more when there is a shameless profit motive behind it, as happens to a Telegram bot. But let’s put ourselves in a situation first: In 2019, researchers at the security firm Hudson Rock discovered that it was possible to get phone numbers from Facebook users in droves.
Vulnerability on Facebook
Alon Gal, co-founder and CTO of Hudson Rock, obtained a sample of the bot’s data and passed it on to Motherboard’s expert website. When the website shared that sample with Facebook for the company to act, the social network said the data contained Facebook IDs that were created before Facebook corrected the vulnerability of the contacts. Facebook said that it also tested the bot itself with more recent data, and that the bot returned no results.
But the bot can still present a significant problem for people who may have linked their number to their Facebook account prior to August 2019, the year Facebook already had more than 2 billion users worldwide. And the ease of access of this new bot means that even unsophisticated cybercriminals or hackers can obtain the information. That’s where Telegram comes in.
Telegram’s access-sells bot
There is a bot (or automated account) of Telegram that claims to have the phone numbers of more than 500 million users of the social network Facebook, which were leaked due to the aforementioned vulnerability that the company fixed in August 2019. According to Alon Gal, These data are available in a Telegram bot whose author, who according to the Vice website is from “a cybercriminal forum”, allows anyone who wishes to make it see the stolen phone numbers, upon payment of money.
With these data, you can subsequently access certain Facebook user accounts. When launched, the Telegram bot says: “The bot helps to find out the mobile phone numbers of Facebook users,” according to Motherboard tests. The bot allows users to enter a phone number to receive the corresponding user’s Facebook ID, or vice versa. Initial bot results are redacted, but users can purchase credits to reveal the full phone number.
A credit costs $ 20, with prices ranging up to $ 5,000 for 10,000 credits. The bot claims it contains information on “Facebook users from the United States, Canada, the United Kingdom, Australia, and 15 other countries.” Motherboard tested the bot and confirmed that it contained the actual phone number of a Facebook user trying to keep this number private.
In theory, the Facebook vulnerability that leaked the numbers was fixed a year and a half ago, but the problem persists. According to Gal “it is important that Facebook notify its users about this breach to reduce the chances that they will be victims of different hacking attempts and social engineering.”