Interested parties can purchase “credits” to search the archive, with prices starting at $ 20, but they can reach $ 5.000 for 10 queries. The chatbot claims to contain information about Facebook users from the United States, Canada, the United Kingdom, Australia and fifteen other countries. More than 8 million Brazilian accounts may have been affected.
The database is not new, and according to Facebook itself it is related to a vulnerability that the company corrected in August 2019. The bulk of the information concerns phone numbers: buyers can enter a number to receive the corresponding user ID on the social network or vice versa.
"It is very worrying to see a database of this size being sold in cybercrime communities, it seriously damages our privacy and will certainly be used for defamation and other fraudulent activities," says Alon Gal, cofounder and CTO of cybersecurity company Hudson Rock - who posted on Twitter about the case.
The site Motherboard tested the bot and confirmed that it contained the real phone number of a Facebook user. When consulted, the company said the data contained platform IDs that were created before the vulnerability was fixed. Facebook said it also tested the bot against more recent data and returned no results.
Even with old information, the breach of privacy can be dangerous, since for many years before 2019 Facebook encouraged - and sometimes demanded - that users register a phone number. The bank also has contacts that people have provided to the platform for two-factor authentication.
"It is important for Facebook to notify its users of this breach so that they are less likely to be victims of different attempts by hackers and social engineering," says Gal.