Hackers use bot to find Facebook users’ phone numbers

What do we know about the stolen data?

According to a report by Motherboard, the breached data is related to a security vulnerability that Facebook patched in 2019. The phone numbers might be a couple of years old, but since people don’t change them often, most are probably still active.

The information on the database was up for sale when it was found. A phone number or Facebook ID would cost one “credit”, the equivalent of $20. However, buyers could save money and purchase 10,000 credits for just $5000.

When supplied with a Facebook ID, the bot would be able to return the user’s phone number. Likewise, if the buyer already had the phone number, they could use that to access the owner’s Facebook ID. Data was available from users in the US, the UK, Australia, Canada, India, and other countries.

Since Facebook has around 2.7 billion monthly users, this breach could affect 1 in 5 of its user base.

How perpetrators can use your phone number for fraud

It’s easy to assume that a phone number isn’t of any use to a cybercriminal. In reality, anyone who gets your number through this bot also knows your Facebook ID. When combined with information scraped from your social media accounts, your phone number can allow hackers to launch a variety of scams against you and the people you know:

• Smishing: In smishing attacks, hackers can impersonate your bank, employer, government agencies, or any other service, and send you an SMS containing a malicious link. Clicking on the link could trigger a malware download, giving hackers access to your passwords, credit card details, and other sensitive data.
• Vishing: Rather than sending an SMS, a perpetrator can call your number and convince you to reveal personal information using social engineering tactics — a practice known as Vishing. Imagine a situation where a scammer claims to be calling from your energy supplier, and tells you that there is some problem with your direct debits. They can then ask you to confirm your banking details or home address, tricking you into revealing private information.
• Doxxing: When hackers have your phone number, Facebook ID, home address, and other information, they can leak or sell it online (a tactic referred to as doxxing). This can lead to identity theft and harassment. That’s why an encryption tool like a VPN can be very useful; protecting your data now can prevent hacks and attacks before they happen.
• Identity theft: After examining your social media profiles, scammers can gain a detailed picture of your social group; your family, friends, and co-workers. Then they can find their mobile numbers and contact them. They can pretend to be you, asking for money or more private information.

5 ways to protect yourself from scammers

1: Don’t overshare on social media

It’s tempting to post family pictures, job updates, and details of your daily routine on social media. However, we strongly recommend against it. The more information you share, the more likely that one day somebody will use it against you.

If you can’t live without social media, at least make sure that your profile is private, use a strong password, and be wary of any stranger making contact with you.

2: Think before giving out your phone number

There are a lot of different services that might ask for your phone number, from a fitness app to an online store. Unless it’s absolutely necessary, avoid giving away your phone number. Try using a separate phone for work, too, as the employees of large companies are often targeted by criminal organizations.

3: Don’t trust email and SMS links

If you’ve received an SMS from your bank, hospital, or any other institution, don’t rush to click on the link; it could be a malware trap. Do your research, call the sender if possible, and make sure that the message is legitimate. Look for any grammatical mistakes or unusual formatting.

While this isn’t an option for everyone, the best protection is to ignore any messages that ask you to follow links.

4: Don’t talk to strangers

It’s common to receive a call from your insurance company, internet provider, or real estate agent. However, if they ask you to share your passwords, personal identification number, or credit card details, it’s a red flag. Such sensitive information shouldn’t be discussed on the phone, even if the caller is not a fraudster.

5: Enhance your privacy

You can enhance your privacy by going through your social media settings. Enable two-factor authentication, block any suspicious senders, remove your profile from Google Search, and limit the way people can find you. For example, you can use NordVPN, with its powerful Threat Protection feature, to encrypt your data and block online trackers.