Facebook user database vulnerability taken advantage by Telegram bot

Facebook User database
Source: theverge.com

A report by Motherboard indicates that the mobile numbers of nearly 500 million users from the Facebook user database are being sold through a telegram bot. This issue came to the spotlight when a security researcher named Alon Gal highlighted the issue with his Twitter account.

Someone is selling this Facebook user’s data through the Telegram bot. Alon Gal who found this vulnerability says that the person who is selling the Facebook users database claims that he had nearly 500 million users’ data which came from the Facebook vulnerability from 2019 that was already fixed by Facebook.

However, the data is several years old. Still, it presents a significant threat to those whose mobile numbers have been exposed.

Facebook users database available with telegram bot

Alon Gal, Co-founder of cybersecurity firm Hudson Rock, is the one who first informed Motherboard about the Telegram Bot.

He further added that Upon the launch the telegram bot says” The bot helps to find out the mobile number from Facebook user database”

According to the motherboard tests, The telegram bot lets users enter either mobile number then it will provide them with the mobile number’s corresponding Facebook ID, or vice versa. At first, the results from the bot will redacted, But you can buy credits to know the full mobile number that the telegram bot presents.

The cost of one credit is $20, and further, the prices will stretch up to $5,000 for 10,000 credits. The telegram bot claims that it contains information from the Facebook user database that includes users from the U.S., Canada, the U.K., Australia, and 15 other countries.

 After Alon Gal’s information, Motherboard tested the telegram bot and confirmed that it contains real phone numbers from the Facebook user database, who try to keep their numbers private.

 The Facebook users database vulnerability, that patched in 2019.

In 2019 researchers found that it was possible to get hands-on to the Facebook user database. Recently, Gal obtained a sample of the telegram bot’s data. Then provided that information to the Motherboard. 

Motherboard then shared this issue along with a sample to Facebook for it could comment on the issue. To this Facebook added that the data provided from the bot and Facebook IDs were created before the Facebook users database vulnerability issue was fixed. Facebook further ensured that it also tried the bot against newer data. But the bot didn’t provide any information about new users.

However, the bot can still pose a significant threat to people who may have linked their Facebook accounts with their mobile numbers before August 2019. At that time facebook encouraged users to provide their phone numbers. So it can use those phone numbers for two-factor authentication to target users with ads. Meaning at that time Facebook was collecting phone numbers from its most security-minded users. In Addition to this by 2019, Facebook has already acquired more than 2 billion users across the world.

If a telegram bot can access this facebook user database. Then it is even much easier for cybercriminals or hackers to obtain the information further.

Gal added that

It is very crucial that Facebook should alert its users about this Facebook user database vulnerability issue. So, they can take some actions thus reducing the chances of them less likely to fall, a victim. Not only for this but also for other hackings and social engineering attempts in the future.

As we can observe from the screenshots posted by Gal. Includes that the telegram bot has been active since at least January 12, 2021. And the information that the telegram bot provides is from 2019. Even though the data is relatively odd, people don’t change phone numbers often. It’s a bit embarrassing for Facebook because it historically encouraged users to provide their phone numbers from people and users who were turning on two-factor authentication.

It’s uncertain whether Motherboard or security researchers have contacted telegram. In order to try getting that bot taken down. But hopefully, it’s something that can be handled soon. Still, the data is out there on the web it can taken advantage of. It’s quite a few times since the Facebook user database vulnerability issue in 2019.  Let’s hope Facebook and telegram will get this security issue handled soon.

As per the reports, Approximately 100 countries affected by this issue as their data privacy compromised. Even though the Facebook user database issue occurred in 2019. Still impactful Because a large number of users don’t change their phone numbers more frequently. With this issue in India, more than six lakh users have been affected.


It is clear that the Facebook user database vulnerability issue happened and was patched in 2019. But still, some people are taking advantage of that issue. The telegram bot will let users find the phone number with Facebook ID or vice versa, of another user.