A Sinister Telegram Bot Is Selling Stolen Facebook User Data For $20 Each

Facebook Phones
In this episode of Misbehaving Bots, automated Telegram miscreants have been found selling private Facebook user data in an unscrupulous forum, for $20 a pop (or even less). Maybe this is why the bots gobbled up all the latest generation CPUs, graphics cards, and game consoles—it's not cryptocurrency mining, but hawking Facebook data! Not really, of course.

Those are two completely separate scenarios, they just happen to both involve bots. And of course there are humans pulling the strings of these automated tools, so no offense meant to our future robot overlords, if any of them in the making are reading this. But anyway, let's talk about the latest privacy screw-up involving Facebook.

Alon Gal, co-founder of cybersecurity firm Hudson Rock, shared a bit of startling information with the folks at Motherboard about a Telegram bot selling access to a database of phone numbers belonging to Facebook users. The data is a few years old, and Facebook claims it fixed the vulnerability that made this kind of scraping possible. However, it's the size of the leak that is troubling—it apparently exposes data belonging to 500 million users.

"It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors," Gal said.

For anyone who is not familiar with the term "smishing," it is a combination of SMS texting and phishing. Instead of sending out phishing emails, malicious actors attempt to spread malware by pinging potential victims with dirty attachments or unsafe links in text messages.

The miscreants behind this latest breach are using Telegram bots to sell the stolen data. Potential buyers can input a phone number to retrieve a person's Facebook ID, or input a Facebook ID to retrieve a person's phone number.

If the bot finds a match, it displays a partial result, and offers to show the full information for a single "credit." A single credit costs $20, or users can buy in bulk to save money. Buying options scale to 10,000 credits for $5,000, which works out to $2 per user (assuming every result costs one credit—it's not clear if certain targets cost more).

According to Facebook, there was a vulnerability that made it possible to extract all those phone numbers, and it was fixed in 2019. Facebook claims the entire data set predates the patch, and that the bot is ineffective against Facebook ID that were created after the patch.

That offers some consolation, but not a whole lot. Users who linked their phone number to their Facebook account before August 2019 are potentially affected, according to the report. By that time, Facebook was home to more than 2 billion users. In other words, now is a good time to remind any less savvy friends and family members to be wary of unsolicited text messages.