Telegram bot sells stolen Facebook user information for $ 20 per pop

The phone numbers (and corresponding site IDs) of some 500 million Facebook users now appear to be for sale on a dark web cybercrime forum.

The criminal or group of responsible criminals built a Telegram robot to serve as a data search function. Potential buyers can now use the bot to sift through data to find phone numbers that match user credentials (or vice versa), with all information unlocked after payment of query ‘credits’. These credits start at $ 20 for a single search and get cheaper if bought in bulk.

The activity was discovered by Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, who posted on the program on his Twitter account, and reported by Joseph Cox, to Motherboard.

An unsecured Facebook server containing account information for millions of users appears to be the source of the data for sale here – although this vulnerability was discovered by researchers in 2019 and Facebook has since patched it. Gal claimed that the vulnerability was exploited to create “a database containing the information of 533 million users in all countries”. (For unknown reasons, the bot itself claims to only sell information to users in 19 countries.)

“It is very disturbing to see a database of this size being sold in cybercrime communities, it seriously harms our privacy and will certainly be used for smishing and other fraudulent activities by bad actors.” Gal told Motherboard. “It is important that Facebook inform its users of this violation so that they are less likely to fall victim to various hacking and social engineering attempts,” he added. We’ve reached out to Facebook for feedback and will update if we have any news.

Telegram bots, which were designed to be customizable, are increasingly involved in cyber scams, albeit in a slightly different way from this scenario. Just recently, a report by researchers revealed that bots were being exploited in a scam as a service system, in which criminals were able to automate communications with potential phishing victims. Likewise, a Buzzfeed report from several years ago showed that bots were used by bitcoin crooks to lure victims into shady in-line pump and dump systems.