- Low-level actors have set up an automated service that lets people correlate Facebook IDs with phone numbers.
- This can be used for smishing, spamming, or for bypassing 2FA and taking over valuable accounts.
- The operation affects roughly one out of five Facebook users, but the platform has not sent out any notifications.
A cybercriminal has set up a Telegram bot that allows anyone who pays to access the service to look up the phone numbers of approximately 500 million Facebook users. While this is generally considered a low-level activity, it can still pose risks to the people who have their details in the Telegram bot’s database. Facebook has confirmed the data’s validity and attributes its scrapping to a vulnerability they fixed back in August 2019. That said, the data can be as recent as the fix date.
Typically, the users who pay to access the service will use the cellular phone numbers to launch smishing campaigns or send numerous spam messages. The most sophisticated actors will go for 2FA bypassing through SIM swap attacks, so knowing the number used by a particular user would be key information. Users who openly boast their crypto-investments on Facebook should be the ones to worry about this dire possibility.
The cost to access the service is variable, starting from $20 for a single look-up action and going up to $5,000 for 10,000 searches. As it can be easily deduced, those who are willing to pay these amounts see it as an investment, so they have a clear plan on how they’ll take advantage of their access to this data.
Facebook hasn’t sent any notifications to the users who may be affected by this data leak, so people have not been warned of the increased likelihood of receiving smishing SMS. The bot claims to be holding Facebook users’ data based in the United States, United Kingdom, Canada, Australia, and another 15 countries, so the pool is pretty large.
Facebook has 2.7 billion users, so this exposure corresponds to about 18.5% of the total. That should be enough to guarantee the distribution of notices, but we’re not seeing it for the moment.
If you are using the same phone number for 2FA on critical platforms like the one you gave Facebook when you created your account, now is the time to buy a new number and switch to that one. Remember, the ultimate security practice is to avoid sharing any real information about you on the internet, so don’t use your regular phone number for two-factor authentication. Those who have practiced this have nothing to fear from the Telegram bot now.