One person advertising the phone numbers says it contains data on nearly 500 million users, although the information is several years old.
A total of 18 million were from users in the UK, while around 133 million were from American accounts.
When the bot – which uses the messaging service Telegram, which recently saw an influx of users – is launched, it says: “The bot helps to find out the cellular phone numbers of Facebook users”, according to Motherboard.
Users can enter a phone number to receive a user’s Facebook identification, for profiles in the UK, US, Canada, Australia, and 15 other countries. This also works in reverse – a Facebook ID can be used to harvest a users’ phone number.
While the initial results from the bot are hidden, users can pay to reveal the full phone number. It costs $20 per phone number unlocked, with prices reaching $5,000 for 10,000 numbers.
“It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors,” said Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, who alerted Motherboard to the breach.
Gal obtained a sample of the bot’s data, which Motherboard then shared with Facebook.
Facebook told Motherboard the data relates to a vulnerability the social media company patched in August 2019, but that the data had been scraped before the company implemented its fix.
When tested against new data the bot did not return any results, but is still concerning for people who linked their number to Facebook before August 2019 – which Facebook encouraged and at times required, Motherboard reports.
“It is important that Facebook notify its users of this breach so they are less likely to fall victim to different hacking and social engineering attempts,” Gal told Motherboard.
Facebook did not respond to a request for comment from The Independent before publication.