Scammers and stalkers can now get your phone number for $20: What to do

An iPhone 7 displaying a Facebook web page.
(Image credit: Wachiwit/Shutterstock)

Look out Facebook users, because someone has created a database of your mobile numbers and is selling access to it through an automated Telegram messaging bot, according to Vice News.

The silver lining is that the data is old. The phone numbers and associated Facebook account data were legally "scraped" — downloaded in bulk from public Facebook pages — before April 2018, when Facebook made the scraping process more difficult in the wake of the Cambridge Analytica scandal

Until that month, you could use Facebook as a reverse-lookup phone book. Punching in a valid mobile number, even a random one, would often reveal an associated Facebook account, including the name and location of the mobile number's user. 

Up to 500 million numbers can be looked up

The database, to which this enterprising Telegram account is now selling access, seems to be a vast collection of phone numbers and associated Facebook accounts. You can use a number to look up a Facebook account, or a Facebook username to look up a phone number. 

There may be as many as 500 million numbers in the database, according to one source cited by Vice News, though that figure could be exaggerated. Considering that mobile numbers aren't publicly listed in many countries, this White Pages of mobile numbers might be worth a lot of money to telemarketers, scammers, snoops, stalkers and Bitcoin thieves.

If so, the seller of this data is incentivizing customers to buy in bulk. If you look up a number and a Facebook account turns out to be associated with it, or vice versa, you've got to pay one "credit" for all the information. 

A single credit sells for $20 U.S., but there are steep discounts to pre-purchase credits in blocks, up to 10,000 credits for $5,000 U.S., or 50 cents each.

Vice News sprang for a couple of tests and found that the database "contained the real phone number of a Facebook user who tries to keep this number private."

What can you do about revealed mobile numbers?

So what can you do about this? Not a lot, we're afraid. 

If you have real enemies or stalkers who might use this lookup service to track you down and do you harm, you could change your mobile number if it hasn't been changed in the past two or three years. 

Ditto if you own a lot of Bitcoin and are at grave risk of having your phone number, and all that digital currency, stolen outright by a number-porting scam and the resulting failure of two-factor authentication (2FA).

But for most people, changing their mobile numbers won't be worth it. The data has been out there for years. It's likely been exposed in several previous Facebook data dumps, including in September 2019, December 2019 and, most recently, April 2020.

Facebook asks everyone who installs Facebook on a smartphone to input their mobile number. It also encourages those who don't use its mobile apps to sign up for 2FA, in which a special code is texted to a mobile number, which of course Facebook then needs to have. 

You should go into your Facebook account's privacy settings to make sure that your phone number is set to "Friends", or even better, "Only Me." (You should also set your birthday to "Only Me" in Settings --> Your Facebook Information --> Access Your Information --> Profile Information --> About --> Contact and Basic Info.)

To take an even more drastic step, you can take the steps here to remove your phone number from Facebook entirely. It's too late to prevent your number from being part of the existing collections of Facebook-linked numbers, but at least you'll know it won't happen again.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.