
A database of Facebook users’ phone numbers found online - bifrost
https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/
======
reaperducer
Facebook: "This dataset is old and appears to have information obtained before
we made changes last year to remove people’s ability to find others using
their phone numbers."

Not that "old." Some of those "update" dates are just a few days ago.

~~~
compiler-guy
How many people change their phone numbers more than once a decade? How many
people change their facebook accounts ever?

The age of this data may be "old" by whatever definition Facebook is using,
but it is still of great interest to identity thieves and ne'er-do-wells.

~~~
52-6F-62
Yep. As far as I’m accustomed most people do whatever they can to maintain
their phone numbers even across services. So much so that it’s law in Canada a
provider can’t lock in your number and must let you take it with you to
another provider.

~~~
_puk
In the UK it's as easy as sending a text [0] to get your number ported to a
new carrier. Carriers must oblige.

0: [https://www.ofcom.org.uk/about-ofcom/latest/media/media-
rele...](https://www.ofcom.org.uk/about-ofcom/latest/media/media-
releases/2019/end-it-with-a-text-mobile-switching)

~~~
jonny_eh
Does that make it easy to steal phone numbers, and therefore identities?

~~~
onion2k
Based on the fact that never seems to happen, no.

~~~
viraptor
What do you mean never? It has a name and is pretty common in Bitcoin exchange
fraud:
[https://en.wikipedia.org/wiki/SIM_swap_scam](https://en.wikipedia.org/wiki/SIM_swap_scam)

~~~
nullymcnull
The specific UK mechanism that is the subject of this subthread was introduced
in July; it's not what your wikipedia link describes (social engineering to
get a number ported).

~~~
velox_io
I'm also in the UK, I've had the same phone number for at least a decade. It
has been easy to carry your phone number to a new provider for as long as I
can remember.

You just contact your existing provider, tell them you wish to leave and need
the PAC code. After they beg to stay and throw you a sweetheart deal. They'll
send it via text or post.

~~~
abrugsch
you have been ABLE to do that for as long as I can remember (I've kept the
same number since 2005 now on all the major networks. I only didn't keep my
number prior to that because it was a work provided contract) but depending on
which you were dealing with would put up a number of different obstacles when
you contact them to make the process as painful as possible (to keep you as a
customer... THREE I'm looking at you!) so the new automated SMS process
introduced in July is a welcome addition

------
raisedbyninjas
Heads up: T-mobile will allow you to take over an account if you can guess one
of the most recent phone numbers that the target account has called.

~~~
inetknght
That sounds very secure indeed. Nobody would ever guess that I'd recently
called my folks! /s

~~~
trungdq88
In Vietnam, scammers use a few numbers to call the target first, making those
number the "most frequent recently", then take over the target phone number.
This security model is terrible.

------
bubble_talk
So let us say I go to some page which lists some "potentially well off" folks,
like this one:

[https://github.com/orgs/google/people](https://github.com/orgs/google/people)

or this:

[https://github.com/orgs/microsoft/people](https://github.com/orgs/microsoft/people)

or even this :-)

[https://github.com/orgs/facebook/people](https://github.com/orgs/facebook/people)

Given GitHub actually even provides a convenient, public, unauthenticated API,
it makes it even more easy:

[https://api.github.com/orgs/facebook/public_members](https://api.github.com/orgs/facebook/public_members)

And then I match it with their personal phone numbers in the dataset
(apparently its now offline, but maybe another one will reappear at some
point).

And then I can just call these phone numbers and sell them stuff? And its
perfectly OK because even if a dataset like this goes into the wild it acts as
nothing more than "just a phone book"?

~~~
wodenokoto
Couldn’t you already match those lists against the phone book?

~~~
paulddraper
If you knew their locality.

~~~
iyw
null comment

------
sleavey
Heads up: when Facebook asks you to give them your phone number to "prevent
you getting locked out of your account", they really just want it so they can
identify your other profiles in datasets they've bought/own (e.g. WhatsApp).
If you've ever given the service your number, you should consider your real
identity linked to it.

~~~
paws
> If you've ever given the service your number, you should consider your real
> identity linked to it.

I have a feeling it's worse than that. (I haven't rigorously perused the ToS,
if I'm wrong please lmk.)

Let's say your friend John has an iPhone and saves your name and # in their
contacts. One day John installs the Facebook app & opens it. John is not
technical and when the app requests permissions he taps 'Allow'. At that point
AFAICT there's nothing stopping Facebook from snagging your name & number and
populating a ghost profile, or corroborating a real one.

In other words, if you've ever shared your phone number to someone who uses
the Facebook app who doesn't dutifully and consistently reject permissions
prompts, it's probably already too late.

~~~
Tade0
Would rather not share the details here, but I know of one instance of a
person having been found on Facebook via her phone number even though she
never provided it - just one imprudent person who has your number associated
with your real full name is enough for this to happen.

~~~
taneq
It’s like when you upload a photo with your friend (who doesn’t use Facebook)
and it pops up ‘Did you want to tag [friend]?’

~~~
dwild
> ‘Did you want to tag [friend]?

You can tag someone that isn't on Facebook? I'm pretty sure the box use
Facebook accounts...

~~~
taneq
Admittedly I didn't actually try it but I'm pretty sure said friend didn't
have Facebook at the time (although they did get it, years later).

------
pedrocx486
Kinda curious how you never find those dumps by a normal search on Google,
basically you have no way to know if your data is there if you don't know
where to look. I don't use Facebook but I always suspected my data is there
due to friends having me in their contacts and using their apps.

~~~
shiftpgdn
You are likely in this database if you added your phone number to your
Facebook account. There was a point where if you just typed a phone number
into facebook it'd return the person who associated their account with that
number.

~~~
docker_up
Even worse. You are likely in this database if even a single one of your
contacts uploaded their contacts to Facebook.

The probability of your phone number not being uploaded to Facebook is
basically 0.

~~~
gatherhunterer
The article says that each entry has an ID associated with a Facebook account.
What leads you to think that there are entries in this dataset for non-users?

~~~
ineedasername
It's well known that Facebook collects information on non users as well,
frequently called "shadow profiles.", Zuck admitted as much to Congress
although he claimed not to know what shadow profile meant. [0]

Whether or not that information was part of this database isn't clear, but it
also isn't something the parent comment claimed.

[0] [https://slate.com/technology/2018/04/facebook-collects-
data-...](https://slate.com/technology/2018/04/facebook-collects-data-on-non-
facebook-users-if-they-want-to-delete-it-they-have-to-sign-up.html)

~~~
gatherhunterer
That is exactly what the parent comment claimed.

> You are likely in this database if even a single one of your contacts
> uploaded their contacts to Facebook.

Shadow profiles are old news. The suspect claim is that the parent comment is
more informed on this database than the source that published it.

> Whether or not that information was part of this database isn't clear

Yes it is. According to the source this particular public data dump consists
only of entries with IDs linked a Facebook account.

> Each record contained a user’s unique Facebook ID and the phone number
> listed on the account. A user’s Facebook ID is typically a long, unique and
> public number associated with their account

~~~
ineedasername
I don't see why shadow profiles couldn't use the same ID system. why not?

For the parent comment saying they were in the data set: My initial
interpretation was they meant if one Facebook user had done so, and you were
also a Facebook user, whether or not you had provided your #, it was now
associate with you. Your interpretation might be correct though.

------
viach
Imagine what's going to be found online after Libra is implemented - accounts,
phone numbers and the history of purchases including supplier's name and type
- a dream database for target advertising.

------
brlewis
If I never associated a phone number with my account am I safe, or does it
also include phone numbers from contacts lists people let Facebook copy?

~~~
sapski
the latter, see [https://gizmodo.com/facebook-is-giving-advertisers-access-
to...](https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-
shadow-co-1828476051)

~~~
nano81
Not true, you could only search for accounts using phone numbers people had
entered themselves

~~~
Lewton
But your phone number would still be in facebooks database...

~~~
nano81
This article is not about facebook’s database it’s about phone numbers scraped
through search which ended up in a third party database

~~~
kuu
"numbers scraped" from Facebook's database. Of course this is about Facebook's
database

------
shakezula
It's clearly a mongo database. I'm curious if there was no password because
mongo doesn't password protect by default or if it was intentionally left
public.

~~~
bifrost
My guess would be that it was setup by someone for test/dev and then it was
forgotten about. I've found this to be a "time honored" problem heh.

------
cm2012
Wow, a phone book.

Do HN readers know you can buy lists of millions of people's names and phone
numbers from companies whose sole purpose is collecting them, like infogroup?

~~~
bpchaps
Yes, you can get _tons_ of personally identifiable information from things
like public records laws and such. That's irrelevant, though. This is a phone
number tied to a facebook account, not just their name.

A major difference here is the ability - at scale - to associate people with
their facebook accounts. There are people who do not want to be associated
with by their facebook account, and reasonably so. Not sure why you don't
think that wouldn't be a big deal.

~~~
paulddraper
> There are people who do not want to be associated with by their facebook
> account

I figured that ever since Facebook instituted the "real name" policy, this
isn't necessarily possible.

~~~
bpchaps
Troll post? This would either imply that Facebook has 100% valid identity
checks or that 100% of people are honest about their identity.

~~~
paulddraper
Or 100% of people are reported?

IDK how it works; I just know Facebook requires my real name.

~~~
bpchaps
You're suggesting that Facebook is 100% accurate in determining whether a name
is real, or a pseudonym.

Imagine this: someone is on Facebook and wants to hide their identity for some
reason. Best examples I can think of right now is teachers who don't want
their profiles accessible to their students (because high schoolers can be
little shits). Or someone trying to create a new life after domestic abuse. It
makes full sense that they wouldn't want to give their full name so that they
can't be found. Facebook isn't good enough in real name detection to get it
right 100%. How could they?

With this sort of dump, a domestic abuser can much, much more easily find the
person they abused, when that person was previously under a pseudonym.

This is just a small example. It gets much more complicated when considering
how many millions of phone number:Facebook IDs were released.

------
1000units
Does anyone know where to obtain this dump? I would like to know if I am
compromised.

~~~
bifrost
You can check with "Have I Been Pwned"

URL -> [https://haveibeenpwned.com/](https://haveibeenpwned.com/)

~~~
1000units
This appears to be for emails and passwords, neither of which are reported to
exist in this dump.

~~~
pawelk
For now. Let's throw some money their way to make search by phone number
happen? I have donated just last week and I will do that again next month.

~~~
1000units
A less virtuous person would just pay criminals a hundred bucks or some other
trivial fee to have direct access to the data that's being collected (and
mishandled) about him. The song and dance required to keep these leaks out of
public sight only enables victimizers, and there would be a magnet link in
this very thread if they didn't have deep pockets and a vested interest in
relegating this news to a one-and-half-page internet news blurb.

------
captain_qwark
Is it that difficult to encrypt phone numbers before storing to a database? Or
do they just use ridiculously easy to break encryption algorithms? Or does
Facebook just not care?

~~~
nroets
Facebook used to have a feature that allowed users to find a profile if they
have a phone number. I found it useful when I received a text from an unknown
number. Especially to protect myself from being catfished.

If I understand correctly, someone collected all the queries and all the
results and made a phonebook.

I think Facebook cares, but at the same time they always benefited from these
measures where they let their users see as much as possible.

------
chasing
Has there been any kind of class action lawsuit against FB for this kind of
crap?

------
ForFreedom
So how does one check if their data is compromised?

------
amatecha
So... any way I can see if my number was in this database?

Pretty funny. Years ago I very-begrudgingly verified my phone# on my FB
account as my employer had me working on a FB integration... I knew I should
have upheld my principles and not used my personal account.

~~~
userbinator
My general rule is that the only personal resource I will use in a software
job is my brain.

~~~
amatecha
Oh yeah, this was a long time ago, and I have since adopted the same mentality
:)

I think at the time the only way to be a Facebook Developer was to verify your
identity via SMS (or something like that) and you couldn't just create a
fake/pseudonymous account for development purposes. I assume that is still the
case, but I have no clue.

------
ydnaclementine
proper link? I'm curious to see if I'm on there

~~~
input_sh
Check Settings -> Privacy -> Who can look you up using the phone number you
provided?

If I understood this story correctly, it was scraped from accounts that had
this preference set to public.

~~~
Avamander
It can be scraped even when it's "Only people who you have in contacts" (can't
recall the exact wording right now), Facebook thinks it's a feature and that
their privacy measures are working properly.

------
mancerayder
That's egregious but have you ever looked yourself up on any one of those
crazy info scraping sites? usphonebook.com and dozens of their ilk? You might
be shocked by what you find. Some colleagues had all old email addresses
listed, not to mention correct current address and associated persons.

Point is, Facebook probably already have it, the Enemy probably can easily get
it.

Facebook is of course evil, I don't want to diminish their scraping and also
security mishaps.

------
Yuval_Halevi
Facebook is proving itself over and over again as a company who don't care at
all about their users.

the amount of data scandals they had in the last few years is insane

~~~
wmeredith
They care greatly about their users-advertisers. Their product on the other
hand-people with Facebook accounts-are to be sold to the highest bidder.

------
ecesena
Will haveibeenpwned add phone numbers? That'd be neat.

~~~
aledalgrande
That would be dangerous: it would be much easier to mine haveibeenpwned by
enumerating phone numbers and see what sites have been hacked with a certain
number. You would then know exactly which sites to target with which phone
number, and that's already eliminating a lot of work. Get a password dataset
or two in the darknet and you can now hack into many accounts.

------
bee-boop-19
There real catch with this is how all this information was public for so long.
The average user still doesn't understand that they posted their PII to a
searchable database, and ultimately the ramifications of doing so. Even now,
yes FB has restricted phone numbers, but a simple bot friending ppl on FB,
which many users would blidnly accept requests from, would once again reveal
all this data

------
goatinaboat
My guess: the data was exfiltrated by a FB employee intending to use it for
their own startup.

------
Zenst
Is this just Facebook users? Or does this include people who just use say,
Whatsapp?

Then rememberings this: [https://arstechnica.com/information-
technology/2018/03/faceb...](https://arstechnica.com/information-
technology/2018/03/facebook-scraped-call-text-message-data-for-years-from-
android-phones/)

Makes you wonder.

------
etxm
This isn’t getting old to me yet!!1

------
discordance
If this had European users, will they get slugged with a 4% of their revenue
fine under GDPR?

~~~
jefftk
It sounds like this was scraped before the GDPR went into effect.

~~~
oriettaxx
in [https://techcrunch.com/wp-
content/uploads/2019/09/fb-3-2.jpg](https://techcrunch.com/wp-
content/uploads/2019/09/fb-3-2.jpg) I see "update 2019-8-28", updated from
where?

~~~
lioeters
From the article:

> ..The data appeared to be loaded into the exposed database at the end of
> last month — though that doesn’t necessarily mean the data is new.

EDIT: Oh, you were asking "from where". I'd be curious to know the source of
this database too, since it's probably just one of countless copies
circulating..

------
collyw
Glad I didn't give them my phone number despite them pestering me for it.

~~~
cruano
Oh don't worry, some of your friends probably already gave it to them when
allowing facebook to see their contacts

------
subcosmos
Better headline : "FaceBook disrupts the phonebook business with knew lookup
app"

------
no7kai
dose anyone know how to get this dataset?

------
RyanAF7
Intentional. Zuck should go to jail.

