The starting price is one credit per number, which is the equivalent of $20, with a discount for bulk buying 10,000 credits at $5,000. The data itself harkens from 2019, but the issues of privacy and data leaks are nevertheless pressing, and sadly, some we hear all to often nowadays.
Reportedly, 533 million Facebook users' numbers are available, and even though Facebook fixed the issue back in 2019, the information is clearly still there to be taken advantage of.
The security researcher who found the data breach, Alon Gal, told Motherboard "It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors."
Using a Telegram bot enables a hacker to do two things in this scenario, they can find someone's phone number if they have that person's Facebook user ID, alternatively, if they have the person's Facebook user ID they can then find their phone number.
And in this case, it costs a certain amount of money, or credits, to retrieve this information. Hence the one credit for $20, or 10,000 credits for $5,000, as per Motherboard's information.
Few days ago a user created a Telegram bot allowing users to query the database for a low fee, enabling people to find the phone numbers linked to a very large portion of Facebook accounts.— Alon Gal (Under the Breach) (@UnderTheBreach) January 14, 2021
This obviously has a huge impact on privacy. pic.twitter.com/lM1omndDET
Gal posted some of their findings on Twitter, explaining that in early 2020 the vulnerability was discovered and taken advantage of, which then withdrew 533 million Facebook users' phone numbers from a number of countries. The reason this issue is resurfacing now is because a Telegram bot was used, which allows users to pay a fee to retrieve this information, which can be done on a large scale.
The impact on privacy is huge and worrisome.
It's uncertain whether Telegram has been contacted to remove the bot, but cyber security has to ramp up if protection of sensitive data is to be kept private.