An automated bot on Telegram is leaking private information belonging to users on Facebook, according to a report by Motherboard.

The website explained that the bot helps users to look up mobile phone numbers belonging to Facebook users. It can also bring up a user’s Facebook ID based on a provided phone number.

The bot claimed to be able to provide information belonging to users in the United States, Canada, United Kingdom, Australia and 15 other countries.

The results will be redacted and users will be prompted to purchase credits to access the full details. Prices start from US$20 (RM81) for one credit to US$5,000 (RM20,242) for 10,000 credits, according to the report.

Here is a screenshot of the bot in action. This is the phone number of someone who deliberately tries to keep that number private. Now, exposed in an easy to find bot online https://t.co/arci9RyXYt pic.twitter.com/B8RFTl4DQe

— Joseph Cox (@josephfcox) January 25, 2021

Motherboard stated that it has tested the bot and claimed that the bot produced a genuine phone number belonging to a Facebook user who never publicised the number.

The Telegram bot is being advertised by a user on a low-level cybercriminal forum who claimed to have a database containing 500 million users.

Cybersecurity firm Hudson Rock, which alerted the website about the Telegram bot, said the finding is “worrying” as it exposes users’ privacy and could lead to them becoming targeted by fraudsters.

The data was believed to have originated from a vulnerability that Facebook said it had fixed in 2019. The website was able to gather a sample of the bot’s data and shared it with Facebook.

Facebook said the IDs from the data were created prior to its fix of the contact vulnerability, adding that it tested the bot against newer data and the bot did not return any results.

However, Facebook users whose phone numbers have not changed since 2019 may still be vulnerable, according to the website.

In 2019, TechCrunch reported that more than 419 million records containing Facebook users’ IDs and phone numbers were exposed on a server online. It claimed that the server was not password-protected, which means anyone can access the data.

Facebook said the data set on the server was old and may have been obtained prior to the company removing the feature to let users search for others using phone numbers. That feature was removed in 2018.

It added that the data set has been taken down and there was “no evidence” of Facebook accounts being compromised.