Another database of leaked Facebook users' phone numbers found online
Barely a week has passed since Mark Zuckerberg-led Facebook sprang a data leak that put the personal data of around 533 million users out in the open. During investigation into this leak, Motherboard has uncovered a completely separate database of Facebook users' phone numbers circulating on Telegram. This database reportedly remains undetected by popular breach detection tools such as Have I Been Pwned (HIBP).
Information of everyone who 'Liked' a particular Facebook Page available
Motherboard's most recent find is a bot using which anyone is handed phone numbers of all the users who "Liked" a/any Facebook Page. These phone numbers reportedly belong to a dataset that is independent of the Facebook breach last week. The bot reportedly offers the data for free if the selected Facebook Page has under 100 Likes.
Data from Pages with many Likes costs few hundred dollars
Once a potential customer provides the bot the unique identification code of a Facebook Page, the bot calculates the cost for the data in dollars, and presents an option to proceed with the purchase. According to Motherboard, data from a Facebook Page with many thousand Likes would cost a few hundred dollars, a small price for bad actors determined to target victims.
Phone numbers are usable as 'leads' for more targeted scams
The bot outputs a spreadsheet containing the Facebook user's full name, phone number, and gender. If you're someone who Likes multiple Facebook Pages just because a friend asked you to, there is a high possibility that your phone number is already somewhere it should rather not be. The concerning part is that phone numbers can be used for phishing, location tracking, and financial frauds.
No contacted Facebook profiles had their phone number publicly visible
Motherboard took names from the spreadsheet, found the person's profile on Facebook, and cross-checked that the person had actually Liked the Page. The publication even called some phone numbers from the spreadsheet - they turned out to be correct. Surprisingly, none of the contacted profiles had their contact numbers publicly visible. However, the underlying database doesn't seem to be updated in real-time, Motherboard said.
Facebook's explanation for last week's breach leaves unanswered questions
Facebook claimed that the breach last week was just the publicly visible data of users that had been scraped from the website. However, that doesn't explain how the recently-discovered bot could access phone numbers that aren't publicly visible. It also doesn't explain how Zuckerberg's phone number was leaked last week. Surely he didn't want the world to know that he uses Signal!
HIBP didn't associate these leaked phone numbers with data breach
In some cases, the bot reportedly provided the information for only a small fraction of the total Likes on the Page. Worryingly, the phone numbers returned by the bot weren't associated with any breaches on HIBP, making this breach go largely undetected. Facebook refused to comment on Motherboard's findings while Telegram did not respond.