Hacker News new | past | comments | ask | show | jobs | submit login
A database of Facebook users’ phone numbers found online (techcrunch.com)
649 points by bifrost 15 days ago | hide | past | web | favorite | 165 comments

Facebook: "This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers."

Not that "old." Some of those "update" dates are just a few days ago.

How many people change their phone numbers more than once a decade? How many people change their facebook accounts ever?

The age of this data may be "old" by whatever definition Facebook is using, but it is still of great interest to identity thieves and ne'er-do-wells.

Yep. As far as I’m accustomed most people do whatever they can to maintain their phone numbers even across services. So much so that it’s law in Canada a provider can’t lock in your number and must let you take it with you to another provider.

In the UK it's as easy as sending a text [0] to get your number ported to a new carrier. Carriers must oblige.

0: https://www.ofcom.org.uk/about-ofcom/latest/media/media-rele...

I love how they used to pretend that their response to regulatory pressures was in fact a new product/feature offered by them. For instance, allowing me to keep my phone # was phrased in a way that would make me think that EE/O2/... let me do that for free, yay. Same applies to the EU regulations dealing with lowering roaming charges—the carrier I used at that time even developed branding for it. It’s a bit damaging given how little UK citizens know about EU.

Antibiotic free meat is the latest advertising trend in the US, now that the FDA has explicitly banned its use.

It's actually a terrible system though. It relies on the original issuer of the number maintaining essentially a "proxy" to your new provider. So if I transferred from o2 -> EE, and o2 had network issues, it's possible (and has happened to me personally) that I am affected even though I have left o2. I think also calls are actually physically routed through the original network. Lots of weird things can happen like texts from certain networks never arriving.

I had to get a new number when I discovered my NZ family could receive my texts but their replies never arrived at my end.

For more info, see https://www.theregister.co.uk/2017/07/20/uk_number_porting_c...

I've been switching back and forth between two providers for the last 5 years, and I've always wondered now that I'm back to my first provider if calls/texts to me go directly to A, or go A->B->A->B->A.

Should just go straight to A. The way the numbers work is that the prefixes are assigned to various operators. When you transfer, the "owning" operator forwards calls on to the target operator. If you returned presumably the forwarding is removed.

(From [0]): "One of the very few countries not to use ACQ/CDB is the UK, where once a number has been ported, calls to that number are still routed via the donor network. This is also known as "indirect routing" and is highly inefficient as it is wasteful of transmission and switching capacity."


"Because of its donor dependent nature, indirect routing also means that if the donor network develops a fault or goes out of business, the customers who have ported numbers out of that network will lose incoming calls to their numbers."

[0] https://en.wikipedia.org/wiki/Mobile_number_portability

Does that make it easy to steal phone numbers, and therefore identities?

The handset initiates it by sending an SMS to a shortcode.

Shortcodes are phonenumbers that are carrier-specific e.g. the three digit code that you use to access your voicemail etc.

The phone company knows the identity of the calling handset when it gets the text message with a high degree of certainty, as the handset is directly connected to its network.

So the person doing the transfer has to be in procession of the phone, or able to spoof or clone the phone.

Trivia: an attacker who redirects phonenumbers to gain access to a bank account https://williamedwardscoder.tumblr.com/post/24949768311/i-kn...

Based on the fact that never seems to happen, no.

What do you mean never? It has a name and is pretty common in Bitcoin exchange fraud: https://en.wikipedia.org/wiki/SIM_swap_scam

The specific UK mechanism that is the subject of this subthread was introduced in July; it's not what your wikipedia link describes (social engineering to get a number ported).

I'm also in the UK, I've had the same phone number for at least a decade. It has been easy to carry your phone number to a new provider for as long as I can remember.

You just contact your existing provider, tell them you wish to leave and need the PAC code. After they beg to stay and throw you a sweetheart deal. They'll send it via text or post.

you have been ABLE to do that for as long as I can remember (I've kept the same number since 2005 now on all the major networks. I only didn't keep my number prior to that because it was a work provided contract) but depending on which you were dealing with would put up a number of different obstacles when you contact them to make the process as painful as possible (to keep you as a customer... THREE I'm looking at you!) so the new automated SMS process introduced in July is a welcome addition

Didn't it happen to Jack Dorsey last week?


> So much so that it’s law in Canada a provider can’t lock in your number and must let you take it with you to another provider.

Same in Germany.

Good to know it's a law. I was discussing this yesterday as being easy and frequent to port over number between providers. Do you know if providers are allowed to charge a fee for the transfer?

No, but if you were on a contract they can charge you the device cost prorated to how much time was left on your contract. And the new carrier can charge a setup or admin fee, though most carriers don’t for competitive reasons, or they call it a SIM card fee and waive it if you activate via eSIM. All the fine print in Plain English: https://crtc.gc.ca/eng/phone/mobile/num.htm

Actual ruling: https://crtc.gc.ca/eng/archive/2005/dt2005-72.htm

Further regulation covers number portability beyond the named carriers, and require all carriers to register with the CRTC, etc. https://crtc.gc.ca/eng/archive/2017/2017-11.htm In return, the CRTC helps guarantee access to the large players’ wholesale networks, though in practice the fight is still ongoing over newly installed fibre optic networks and the uncompetitive rates the incumbents charge for full speed service on their networks.

It’s not all good news - A particularly disappointing CRTC ruling followed Bell Canada’s recommendation that Canadian TV should only be provided via Internet if the household has internet from that TV provider directly. Which has effectively locked out any over the top competition such as YouTube TV from Canadian markets as they won’t be able to offer Canadian OTA channels. Sadly, I can’t find the ruling in the mess on the CRTC site, as CRTC language is obscure to say the least, but as TV is heavily regulated in Canada, the CRTC has old fashioned rules saying IPTV providers must provision a box and a line for service (Internet) in order to offer TV. This limits competition to only those willing to provide Internet in Canada to every household, or requires third-parties to negotiate with incumbents for access to such households. Existing third-party ISPs/Canadian IPTV companies go along with the above rules because nobody wants US providers entering the market, they just want to carve out cheaper Internet+TV price points with competitive Internet speeds that the incumbents don’t offer at competitive wholesale rates and benefit from a high switching cost where switching TV providers means switching ISPs knowing most people won’t do it. Until we have enough VOD content, Canadians are either pirating, using VPNs or paying their ISP for television, not having any other legal choices in this country...

While I can’t find the ruling just yet, here’s an article from 2015 highlighting Bell’s requirement that IPTV be restricted to ISP lines: https://www.cbc.ca/news/business/bell-crtc-25-basic-tv-1.375... And here’s an article where Bell refused to license their networks to VMedia’s Roku app arguing that by going over the public Internet, VMedia was running the content on a private network outside Bell’s control (Most IPTV providers find it cheaper to bundle with Bell’s VDSL) https://www.cbc.ca/news/business/bell-vmedia-iptv-internet-r... This later led to the ruling that only ISPs can provide TV...

Personally I’m more irritated by how much VOD content Bell has exclusive license to, such as their Crave+HBO, which is cheap for now, but helps Bell compete with channels offered by Amazon Prime Video. Corus, formerly owned by Shaw (another cable provider) licenses a lot of US content, and so might limit what content is available north of the border. It’s particularly hard to find VOD episodes from Turner and Viacom networks and the expanded licensing STARZ has with Hulu is completely absent north of the border. When you can’t find a show legally on any VOD network in your country including iTunes, what are you supposed to do...? CRTC rules are not making this any easier for Canadians to watch what they want, wherever they want (ISP requirement means your cell phone must also have service from your IPTV provider, it’s nuts), and on whatever device they want...

This is the case in India as well. You can keep your number and still change the network provider. People tend to keep the same number.

Same in the US

Relevant XKCD https://xkcd.com/1129/

> changes last year to remove people’s ability to find others using their phone numbers.

What? That's not true, I reported the issue about user enumeration via phone numbers being possible in Whatsapp, Messenger and Instagram to them last week and they claimed (paraphrased) "it's a feature, not a security issue".

Do you intend to publish this correspondence? I think some companies prefer to sue people using these "features" instead of changing them. It's a good thing to have on record.

There's not much to publish. It is just me saying that a custom contact book allows finding out a lot of people's accounts, them saying that the behavior respects people's settings and is working as intended.

They removed "people's" ability, but not their own.

I've had my phone number since 2002. It doesn't matter how "old" their dataset is when some of the data predates the entire company.

Yes but

"But the data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new."

Somewhat curious what the Status key represents in this dump, personally.

>ability to find others using their phone numbers."

Ah right, that's why I couldn't find someone...

That just means the database was updated a few days ago, not that the data is new.

The new normal in public relations seems to be to make irrelevant or simply mendacious excuses which seem to suggest that they don't have a clue, but which actually show their contempt for their users.

Heads up: T-mobile will allow you to take over an account if you can guess one of the most recent phone numbers that the target account has called.

That sounds very secure indeed. Nobody would ever guess that I'd recently called my folks! /s

In Vietnam, scammers use a few numbers to call the target first, making those number the "most frequent recently", then take over the target phone number. This security model is terrible.

No one would ever guess that my target called me back after I left a frightening voicemail also!

And conveniently Facebook often lists your relatives' accounts right on your profile.

So you could just call and leave a reasonable sounding voicemail compelling them to call back?

Is this true? Got a link for reference?

Sorry, no link. Just personal experience when we lost the account info for an employees phone.

Did you have a PIN/Passcode on the account [1]? That a 6-15 digit number you can set on an account that you have to supply when you call support, or have to give to your new carrier for them to get your phone number ported off of T-Mobile.

[1] https://support.t-mobile.com/docs/DOC-37477

So let us say I go to some page which lists some "potentially well off" folks, like this one:


or this:


or even this :-)


Given GitHub actually even provides a convenient, public, unauthenticated API, it makes it even more easy:


And then I match it with their personal phone numbers in the dataset (apparently its now offline, but maybe another one will reappear at some point).

And then I can just call these phone numbers and sell them stuff? And its perfectly OK because even if a dataset like this goes into the wild it acts as nothing more than "just a phone book"?

Couldn’t you already match those lists against the phone book?

Cellphone numbers do not appear in regular phone books.

If you knew their locality.

null comment

What’s a phone book?

Yeah but who answers calls from unknown numbers anymore? It’s pretty much 99% spam already.

But if you can see any of their Facebook friends, just look up one of their cell number and spoof it when you make the call.

Heads up: when Facebook asks you to give them your phone number to "prevent you getting locked out of your account", they really just want it so they can identify your other profiles in datasets they've bought/own (e.g. WhatsApp). If you've ever given the service your number, you should consider your real identity linked to it.

> If you've ever given the service your number, you should consider your real identity linked to it.

I have a feeling it's worse than that. (I haven't rigorously perused the ToS, if I'm wrong please lmk.)

Let's say your friend John has an iPhone and saves your name and # in their contacts. One day John installs the Facebook app & opens it. John is not technical and when the app requests permissions he taps 'Allow'. At that point AFAICT there's nothing stopping Facebook from snagging your name & number and populating a ghost profile, or corroborating a real one.

In other words, if you've ever shared your phone number to someone who uses the Facebook app who doesn't dutifully and consistently reject permissions prompts, it's probably already too late.

Your feeling is correct. It's been shown by researchers (incl. me) and confirmed by Facebook that they're doing that: https://gizmodo.com/facebook-is-giving-advertisers-access-to...

I’ve confirmed this same type of behavior in several of Google’s products as well, as part of an experiment a couple friends and I ran a several months back, using fake personas, to see how feasible it’d be for one to simply exist w/o creating a digital footprint (let’s just say that our overall conclusions left me feeling very sad).

Facebook frequently suggested my own mobile number to add it to my account when after I logged into the mobile webpage via phone (I never used any Facebook apps).

My only explanation for that was exactly that it had been farmed from a friends contact list.

Would rather not share the details here, but I know of one instance of a person having been found on Facebook via her phone number even though she never provided it - just one imprudent person who has your number associated with your real full name is enough for this to happen.

It’s like when you upload a photo with your friend (who doesn’t use Facebook) and it pops up ‘Did you want to tag [friend]?’

> ‘Did you want to tag [friend]?

You can tag someone that isn't on Facebook? I'm pretty sure the box use Facebook accounts...

Admittedly I didn't actually try it but I'm pretty sure said friend didn't have Facebook at the time (although they did get it, years later).

This is despicable.

You're exactly right. Add in the fact that Facebook can pose this as a puzzle to be solved, and attract a steady stream of sharp young people who can solve the puzzle without being bothered too much by the ethical consequences of solving the puzzle.

I've also definitely received "friend" suggestions for business contacts who I've had a phone number/email address stored in my phone.

There are no mutual friends or any other link it could make apart from linking my contact list with their number.

Facebook does indeed do that. One of the big reason of paying 22B for whatsapp is so that they could retrieve the entire friend graph of WhatsApp and use that to drive Facebook + Instagram MAUs.

The bigger the network, the more value a user gets, and the deeper the lock in.

It has been shown over and over again that both Facebook and Google will go to extreme lengths to know about their users’ lives and target them with precision ads. They are advertising companies foremost.

It would be interesting to see if there are ghost account numbers in the dataset. Depending on the country or region, would there be grounds for litigation if there were?

This is the entire business model of TrueCaller, and the reason they have a very accurate phone nbr lookup function

> you should consider your real identity linked to it

What is the point of these products if not linked to my real identity? That’s the whole idea of them. I use Facebook and WhatsApp to talk to people who know me. That’s why they want to talk to me. If they didn’t know my identity they would want to talk to me.

Of course your real identity is probably involved somewhere. It's just that I, and many others like me, don't think a third party should know what my real identity is. It's not their business.

Edit: Unfortunately it probably is their business. A poor choice of words.

Aren’t we already at a tipping point where your FB identity effectively is your real identity?

For many purposes the companies don’t have to care your ”real” identity

No, not really. I don't apply for jobs, book flights or vote with my Facebook account. I'm not concerned with what kind of insights that Facebook can infer from a fake Mickey Mouse account. I'm concerned about the possibility of being discriminated against in the real world based upon data gleamed from my online interactions.

You can get discriminated when booking flights though and you get selective propaganda through your FB account though... so you individually may not be affected but your group, whatever that is, may be.

Network graphs.

Off the top example: If four of your friends are buying gifts for your baby shower, this is a signal that your other friends have the intent to buy baby gifts and could be marketed to.

WhatsApp was specifically designed to be encrypted and private. Facebook, however, seems to play fast and loose with data. Sure you can talk to John Doe, but you might hope no one else knows that you're talking to John or what you're talking about. Useful, for example, to report a government conspiracy to a reporter.

That's not the only reason. They also allow advertisers to target based on specific phone numbers. It's one of the creepiest features, along with targeting based on e-mail.

What's targeting by specific phone numbers? Area code as a proxy for geo location, or something more sophisticated?

OC is likely referring to Custom Audiences. Facebook let you hash a list of emails or phone number, share it with them, so they can compare with their own. It allows businesses to target their customers or prospects separately.

When you go shopping the casier asks your your home address and phone number, for invoice/bill. Then they upload your phone number to Facebook and advertise based on your purchasing history with them.

You upload a list of your customers' phones or emails and Facebook or Google allow you to show ads only to those users.

Brings to mind a question, I've got a throwaway google voice number for precisely this reason, some services will let me use it, others (even Google-tried using a GVoice number as a recovery phone number for a gmail account for my grandmother, nothing doing) wont, few just throw back a generic error, others will say they don't allow virtual DIDs.

Someone's going to say that's to cut down on fraud/increase security, right? Yet these services are going to (against many in the InfoSec world who are screaming "STOP DOING THAT") use SMS as a means of 2FA...

I'm a bit confused where the value add is for account security in making virtual telephone numbers such a hit or miss.

Real security is picking a unique password and not forgetting it. Letting someone handle your security by giving them your phone number in case you can't handle it was never a good idea.

Get a password safe, and don't forget your complex passwords.

2FA (through an third-party like an email provider or, even, dare I say it, an SMS provider; not TOTP) continues to protect you when your password is compromised by a backend-side database breach. They might get your password; they might get your TOTP token seed; but there's nothing in the DB that will allow them to receive an email as you and then click the link in said email.

Yes, allowing someone to reset their password through a second factor is bad; but that's not 2FA, that's two independent 1FAs.

This is a good distinction and absolutely right. The problem comes when people substitute good passwords for 2fa resets via phone. The problem with that is that the majority of usage now comes from the phone, so it's not really a second factor if you lose your phone. It's a complex problem that depends on the situation and really too complex to make a matrix of when it's ok for your average Joe. Passwords suck, and we still use them, because as a general rule, it's the best thing we have.

For iOS, it seems easier to just make Facebook and WhatsApp use the same app group.

Kinda curious how you never find those dumps by a normal search on Google, basically you have no way to know if your data is there if you don't know where to look. I don't use Facebook but I always suspected my data is there due to friends having me in their contacts and using their apps.

Google only really does http/https, finding mongodb requires scanning for 27019 and then pointing a client at it. I believe Shodan does this.

It also indexes ftp, but that may unfortunately be coming to an end[1]. Ironically enough, Google's mission statement is still "to organize the world's information and make it universally accessible and useful", which if taken to its logical conclusion would mean such humorously delightful things as scanning for mongos and indexing their contents too...

[1] https://news.ycombinator.com/item?id=20721609

Its almost like people need a tool to tell them not to leave stuff open like that...

Between MongoDB, Jenkins and Elasticsearch, thats a whole ecosystem of pwnability that is probably just starting to be exploited.

> to organize the world's information

..including any private data they can gather on you, via search, maps, analytics, browser..

I wouldn't put it past Google to be already indexing exposed databases (or continue indexing ftp), just not making it publicly available.

Is the background image on the TechCrunch article an UI for monogodb? Or is it just a FB GraphQL query browser UI?

It's MongoDB Compass, a client for Mongo.

You are likely in this database if you added your phone number to your Facebook account. There was a point where if you just typed a phone number into facebook it'd return the person who associated their account with that number.

Even worse. You are likely in this database if even a single one of your contacts uploaded their contacts to Facebook.

The probability of your phone number not being uploaded to Facebook is basically 0.

The article says that each entry has an ID associated with a Facebook account. What leads you to think that there are entries in this dataset for non-users?

It's well known that Facebook collects information on non users as well, frequently called "shadow profiles.", Zuck admitted as much to Congress although he claimed not to know what shadow profile meant. [0]

Whether or not that information was part of this database isn't clear, but it also isn't something the parent comment claimed.

[0] https://slate.com/technology/2018/04/facebook-collects-data-...

That is exactly what the parent comment claimed.

> You are likely in this database if even a single one of your contacts uploaded their contacts to Facebook.

Shadow profiles are old news. The suspect claim is that the parent comment is more informed on this database than the source that published it.

> Whether or not that information was part of this database isn't clear

Yes it is. According to the source this particular public data dump consists only of entries with IDs linked a Facebook account.

> Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account

I don't see why shadow profiles couldn't use the same ID system. why not?

For the parent comment saying they were in the data set: My initial interpretation was they meant if one Facebook user had done so, and you were also a Facebook user, whether or not you had provided your #, it was now associate with you. Your interpretation might be correct though.

Well, I never had an FB account. But I have friends who I know have contact search enabled on their phones, so they probably have my phone and maybe first name.

What would happen if millions of people changed their phone numbers and did not re-register them with new accounts? Does anyone believe a social effort could dissuade the use of phone numbers for tracking people? How much entropy would need to be added to the system before using phone numbers as identifiers became useless?

Security researchers use search engines like Shodan to find these databases, not Google.

Is protocol if you find these things a security researcher not to share the link? I read about these leaks a lot and am always interested in viewing them but never can find them. I assume the links are shared with people carefully because a small number of people will use them maliciously.

Depending on the severity of the breach, yes it's generally considered best practice to notify the service first and give them time to deal with it. Depending on how bad it is, the person reporting it may be compensated for finding it. The company would generally fix the issue, and then the person who found it can make it public (based on their agreement with the company sometimes). The time period is often 90 days, but it could be worked out independently per case.

As with anything like this, consult a lawyer who knows this area of the law of you find yourself in this situation.

It’s never good to disclose PII. Dropping vulns after responsible disclosure is mostly considered ok, not so much with PII - it’s not the victims fault and can be damaging longer term.

If the vendor refuses to fix the issue, providing the media with enough redacted info to have them publish a story will force the vendors hand.

Imagine what's going to be found online after Libra is implemented - accounts, phone numbers and the history of purchases including supplier's name and type - a dream database for target advertising.

If I never associated a phone number with my account am I safe, or does it also include phone numbers from contacts lists people let Facebook copy?

Not true, you could only search for accounts using phone numbers people had entered themselves

But your phone number would still be in facebooks database...

This article is not about facebook’s database it’s about phone numbers scraped through search which ended up in a third party database

"numbers scraped" from Facebook's database. Of course this is about Facebook's database

It's clearly a mongo database. I'm curious if there was no password because mongo doesn't password protect by default or if it was intentionally left public.

My guess would be that it was setup by someone for test/dev and then it was forgotten about. I've found this to be a "time honored" problem heh.

The "ObjectId" type gives it away

Wow, a phone book.

Do HN readers know you can buy lists of millions of people's names and phone numbers from companies whose sole purpose is collecting them, like infogroup?

Yes, you can get tons of personally identifiable information from things like public records laws and such. That's irrelevant, though. This is a phone number tied to a facebook account, not just their name.

A major difference here is the ability - at scale - to associate people with their facebook accounts. There are people who do not want to be associated with by their facebook account, and reasonably so. Not sure why you don't think that wouldn't be a big deal.

> There are people who do not want to be associated with by their facebook account

I figured that ever since Facebook instituted the "real name" policy, this isn't necessarily possible.

> I figured that ever since Facebook instituted the "real name" policy, this isn't necessarily possible.

Is this even enforced? I've had a fake name for years (and I have plenty of friends who've done the same).

Troll post? This would either imply that Facebook has 100% valid identity checks or that 100% of people are honest about their identity.

Or 100% of people are reported?

IDK how it works; I just know Facebook requires my real name.

You're suggesting that Facebook is 100% accurate in determining whether a name is real, or a pseudonym.

Imagine this: someone is on Facebook and wants to hide their identity for some reason. Best examples I can think of right now is teachers who don't want their profiles accessible to their students (because high schoolers can be little shits). Or someone trying to create a new life after domestic abuse. It makes full sense that they wouldn't want to give their full name so that they can't be found. Facebook isn't good enough in real name detection to get it right 100%. How could they?

With this sort of dump, a domestic abuser can much, much more easily find the person they abused, when that person was previously under a pseudonym.

This is just a small example. It gets much more complicated when considering how many millions of phone number:Facebook IDs were released.

depends on the jurisdiction. In Germany this is a grey area or outright forbidden depending on the case, and this dump apparently contains numbers from numerous jurisdictions.

Also, needlessly to say someone who gives facebook their phone number for verification purposes does likely not expect that the data is leaked or sold without their permission.

> needlessly to say someone who gives facebook their phone number for verification purposes does likely not expect that the data is leaked or sold without their permission.

Sadly, this isn't the case anymore. People absolutely expect companies to sell or leak every last bit of PII data they have on all their customers now.

Does anyone know where to obtain this dump? I would like to know if I am compromised.

The database has been taken down:

> The database was originally found by security researcher Sanyam Jain, who said that he was able to locate phone numbers associated with several celebrities. It's not clear who owned the database nor where it originated from, but it was taken offline after TechCrunch contacted the web host. There is no word on why the data was scraped from Facebook or what it was used for.


You can check with "Have I Been Pwned"

URL -> https://haveibeenpwned.com/

This appears to be for emails and passwords, neither of which are reported to exist in this dump.

For now. Let's throw some money their way to make search by phone number happen? I have donated just last week and I will do that again next month.

A less virtuous person would just pay criminals a hundred bucks or some other trivial fee to have direct access to the data that's being collected (and mishandled) about him. The song and dance required to keep these leaks out of public sight only enables victimizers, and there would be a magnet link in this very thread if they didn't have deep pockets and a vested interest in relegating this news to a one-and-half-page internet news blurb.

It was still reported to HIBP, its probably a worthwhile search.

Off topic, but I'm amused to see xkcd was hacked. And that its database used MD5 for hashing emails, passwords, and IP addresses!

Hashing an IP address (or phone number) doesn't add much security because such hashes are easy to reverse. Better idea is to delete IP address after some short time. You might keep it for a week on month to prevent mass registration, but after that time you don't need it.

> Hashing an IP address (or phone number) doesn't add much security because such hashes are easy to reverse.

Only if they hashed them separately.

Really it was their PHPBB forum heh. MD5 is so lame for passwords tho.

Is it that difficult to encrypt phone numbers before storing to a database? Or do they just use ridiculously easy to break encryption algorithms? Or does Facebook just not care?

Facebook used to have a feature that allowed users to find a profile if they have a phone number. I found it useful when I received a text from an unknown number. Especially to protect myself from being catfished.

If I understand correctly, someone collected all the queries and all the results and made a phonebook.

I think Facebook cares, but at the same time they always benefited from these measures where they let their users see as much as possible.

Has there been any kind of class action lawsuit against FB for this kind of crap?

So how does one check if their data is compromised?

So... any way I can see if my number was in this database?

Pretty funny. Years ago I very-begrudgingly verified my phone# on my FB account as my employer had me working on a FB integration... I knew I should have upheld my principles and not used my personal account.

My general rule is that the only personal resource I will use in a software job is my brain.

Oh yeah, this was a long time ago, and I have since adopted the same mentality :)

I think at the time the only way to be a Facebook Developer was to verify your identity via SMS (or something like that) and you couldn't just create a fake/pseudonymous account for development purposes. I assume that is still the case, but I have no clue.

proper link? I'm curious to see if I'm on there

Check Settings -> Privacy -> Who can look you up using the phone number you provided?

If I understood this story correctly, it was scraped from accounts that had this preference set to public.

It can be scraped even when it's "Only people who you have in contacts" (can't recall the exact wording right now), Facebook thinks it's a feature and that their privacy measures are working properly.

That's egregious but have you ever looked yourself up on any one of those crazy info scraping sites? usphonebook.com and dozens of their ilk? You might be shocked by what you find. Some colleagues had all old email addresses listed, not to mention correct current address and associated persons.

Point is, Facebook probably already have it, the Enemy probably can easily get it.

Facebook is of course evil, I don't want to diminish their scraping and also security mishaps.

Facebook is proving itself over and over again as a company who don't care at all about their users.

the amount of data scandals they had in the last few years is insane

They care greatly about their users-advertisers. Their product on the other hand-people with Facebook accounts-are to be sold to the highest bidder.

Will haveibeenpwned add phone numbers? That'd be neat.

That would be dangerous: it would be much easier to mine haveibeenpwned by enumerating phone numbers and see what sites have been hacked with a certain number. You would then know exactly which sites to target with which phone number, and that's already eliminating a lot of work. Get a password dataset or two in the darknet and you can now hack into many accounts.

There real catch with this is how all this information was public for so long. The average user still doesn't understand that they posted their PII to a searchable database, and ultimately the ramifications of doing so. Even now, yes FB has restricted phone numbers, but a simple bot friending ppl on FB, which many users would blidnly accept requests from, would once again reveal all this data

My guess: the data was exfiltrated by a FB employee intending to use it for their own startup.

Is this just Facebook users? Or does this include people who just use say, Whatsapp?

Then rememberings this: https://arstechnica.com/information-technology/2018/03/faceb...

Makes you wonder.

This isn’t getting old to me yet!!1

If this had European users, will they get slugged with a 4% of their revenue fine under GDPR?

The article screenshots show a redacted Facebook user in the UK.

It sounds like this was scraped before the GDPR went into effect.

in https://techcrunch.com/wp-content/uploads/2019/09/fb-3-2.jpg I see "update 2019-8-28", updated from where?

From the article:

> ..The data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new.

EDIT: Oh, you were asking "from where". I'd be curious to know the source of this database too, since it's probably just one of countless copies circulating..

Glad I didn't give them my phone number despite them pestering me for it.

Oh don't worry, some of your friends probably already gave it to them when allowing facebook to see their contacts

dose anyone know how to get this dataset?

Better headline : "FaceBook disrupts the phonebook business with knew lookup app"


Back then they were home phones, they belonged to a household more than an individual. You had to be home to receive calls. Telemarketers arrived fairly late in it's existence. Robocallers were rare. You couldn't be spammed with text messages.

White pages worked because there were less bad actors.

You mean white pages :)

At one point as a kid we were getting a single FAT combo. Maybe that was a regional thing.

Sure, but the paid advertisements of the combination book were yellow and the opt-out listings were white; were they not?

Not necessarily. My first yellow pages as a kid were all one color.

(Small city)

People could opt out of that though.

Intentional. Zuck should go to jail.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact