With Borland's script running on a large botnet -- over 100,000 computers -- an attacker could find the phone numbers and names of most Facebook users with mobile numbers associated with their accounts in a matter of days, Prakash said.

It is disturbing that this vulnerability is still open and there are public tools available to exploit it, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email on Monday. Very few users alter their default privacy settings, he said.

This is another example of how a great feature can end up abused if safety mechanisms are poorly implemented or are completely missing, Botezatu said. "Unlike e-mail messages or blog comments, approaching a user by phone is much more effective in a spear vishing [voice phishing] attack, mostly because the computer user is not aware of the fact that his phone number may have ended up in the wrong hands. Coupled with the users information in their profile, an attacker can convince the user into handing personal information in no time."

Voice phishing attacks and other type of phone scams are common and their success rate is already high, Botezatu said.

"Now imagine that these crooks address you by your full name and back up their statements with information about you taken straight from your [Facebook] profile." Botezatu said.