The vulnerability allowed almost everyone to have access to the phone numbers linked to Facebook accounts across the world.

In an apparent security breach, mobile phone numbers of over 500 million Facebook users are up for sale through a Telegram bot. According to security researcher Alon Gal (via Motherboard) the data includes phone numbers of over 60 lakh Indian users. The problem was first highlighted by Gal on microblogging site Twitter.

Gal said that the person who runs the bot claimed that the information of 533 million Facebook users came from a vulnerability that the social media giant patched in 2019.

But the vulnerability allowed almost everyone to have access to the phone numbers linked to Facebook accounts across the world. This was exploited to create a database of the social media user accounts and their numbers and is now being sold via the bot.

In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries. It was severely under-reported and today the database became much more worrisome 1/2 pic.twitter.com/ryQ5HuF1Cm — Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021



Anyone with a person’s phone number can find the Facebook user ID using the Telegram bot and vice versa. However, those who want to access the information will have to pay for it and this will cost them one credit. The person behind this bot is selling a phone number or Facebook user ID for USD 20. There is also bulk pricing for the data. The bot has fixed a charge of USD 5000 for 10,000 credits.

Few days ago a user created a Telegram bot allowing users to query the database for a low fee, enabling people to find the phone numbers linked to a very large portion of Facebook accounts. This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET — Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021



The Telegram bot is said to be running since at least January 12, 2021 but the data provided is from 2019. However, the data can be accurate considering that very few people change their phone numbers that often. According to the security researcher, users’ data from over 100 countries are up for sale through the bot.

Gal said that despite being a serious privacy concern, the issue was under-reported when it was first highlighted.