Not that "old." Some of those "update" dates are just a few days ago.
The age of this data may be "old" by whatever definition Facebook is using, but it is still of great interest to identity thieves and ne'er-do-wells.
I had to get a new number when I discovered my NZ family could receive my texts but their replies never arrived at my end.
For more info, see https://www.theregister.co.uk/2017/07/20/uk_number_porting_c...
(From ): "One of the very few countries not to use ACQ/CDB is the UK, where once a number has been ported, calls to that number are still routed via the donor network. This is also known as "indirect routing" and is highly inefficient as it is wasteful of transmission and switching capacity."
"Because of its donor dependent nature, indirect routing also means that if the donor network develops a fault or goes out of business, the customers who have ported numbers out of that network will lose incoming calls to their numbers."
Shortcodes are phonenumbers that are carrier-specific e.g. the three digit code that you use to access your voicemail etc.
The phone company knows the identity of the calling handset when it gets the text message with a high degree of certainty, as the handset is directly connected to its network.
So the person doing the transfer has to be in procession of the phone, or able to spoof or clone the phone.
Trivia: an attacker who redirects phonenumbers to gain access to a bank account https://williamedwardscoder.tumblr.com/post/24949768311/i-kn...
You just contact your existing provider, tell them you wish to leave and need the PAC code. After they beg to stay and throw you a sweetheart deal. They'll send it via text or post.
Same in Germany.
Actual ruling: https://crtc.gc.ca/eng/archive/2005/dt2005-72.htm
Further regulation covers number portability beyond the named carriers, and require all carriers to register with the CRTC, etc. https://crtc.gc.ca/eng/archive/2017/2017-11.htm In return, the CRTC helps guarantee access to the large players’ wholesale networks, though in practice the fight is still ongoing over newly installed fibre optic networks and the uncompetitive rates the incumbents charge for full speed service on their networks.
It’s not all good news - A particularly disappointing CRTC ruling followed Bell Canada’s recommendation that Canadian TV should only be provided via Internet if the household has internet from that TV provider directly. Which has effectively locked out any over the top competition such as YouTube TV from Canadian markets as they won’t be able to offer Canadian OTA channels. Sadly, I can’t find the ruling in the mess on the CRTC site, as CRTC language is obscure to say the least, but as TV is heavily regulated in Canada, the CRTC has old fashioned rules saying IPTV providers must provision a box and a line for service (Internet) in order to offer TV. This limits competition to only those willing to provide Internet in Canada to every household, or requires third-parties to negotiate with incumbents for access to such households. Existing third-party ISPs/Canadian IPTV companies go along with the above rules because nobody wants US providers entering the market, they just want to carve out cheaper Internet+TV price points with competitive Internet speeds that the incumbents don’t offer at competitive wholesale rates and benefit from a high switching cost where switching TV providers means switching ISPs knowing most people won’t do it. Until we have enough VOD content, Canadians are either pirating, using VPNs or paying their ISP for television, not having any other legal choices in this country...
While I can’t find the ruling just yet, here’s an article from 2015 highlighting Bell’s requirement that IPTV be restricted to ISP lines: https://www.cbc.ca/news/business/bell-crtc-25-basic-tv-1.375... And here’s an article where Bell refused to license their networks to VMedia’s Roku app arguing that by going over the public Internet, VMedia was running the content on a private network outside Bell’s control (Most IPTV providers find it cheaper to bundle with Bell’s VDSL) https://www.cbc.ca/news/business/bell-vmedia-iptv-internet-r... This later led to the ruling that only ISPs can provide TV...
Personally I’m more irritated by how much VOD content Bell has exclusive license to, such as their Crave+HBO, which is cheap for now, but helps Bell compete with channels offered by Amazon Prime Video. Corus, formerly owned by Shaw (another cable provider) licenses a lot of US content, and so might limit what content is available north of the border. It’s particularly hard to find VOD episodes from Turner and Viacom networks and the expanded licensing STARZ has with Hulu is completely absent north of the border. When you can’t find a show legally on any VOD network in your country including iTunes, what are you supposed to do...? CRTC rules are not making this any easier for Canadians to watch what they want, wherever they want (ISP requirement means your cell phone must also have service from your IPTV provider, it’s nuts), and on whatever device they want...
What? That's not true, I reported the issue about user enumeration via phone numbers being possible in Whatsapp, Messenger and Instagram to them last week and they claimed (paraphrased) "it's a feature, not a security issue".
"But the data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new."
Somewhat curious what the Status key represents in this dump, personally.
Ah right, that's why I couldn't find someone...
or even this :-)
Given GitHub actually even provides a convenient, public, unauthenticated API, it makes it even more easy:
And then I match it with their personal phone numbers in the dataset (apparently its now offline, but maybe another one will reappear at some point).
And then I can just call these phone numbers and sell them stuff? And its perfectly OK because even if a dataset like this goes into the wild it acts as nothing more than "just a phone book"?
I have a feeling it's worse than that. (I haven't rigorously perused the ToS, if I'm wrong please lmk.)
Let's say your friend John has an iPhone and saves your name and # in their contacts. One day John installs the Facebook app & opens it. John is not technical and when the app requests permissions he taps 'Allow'. At that point AFAICT there's nothing stopping Facebook from snagging your name & number and populating a ghost profile, or corroborating a real one.
In other words, if you've ever shared your phone number to someone who uses the Facebook app who doesn't dutifully and consistently reject permissions prompts, it's probably already too late.
My only explanation for that was exactly that it had been farmed from a friends contact list.
You can tag someone that isn't on Facebook? I'm pretty sure the box use Facebook accounts...
There are no mutual friends or any other link it could make apart from linking my contact list with their number.
The bigger the network, the more value a user gets, and the deeper the lock in.
It has been shown over and over again that both Facebook and Google will go to extreme lengths to know about their users’ lives and target them with precision ads. They are advertising companies foremost.
What is the point of these products if not linked to my real identity? That’s the whole idea of them. I use Facebook and WhatsApp to talk to people who know me. That’s why they want to talk to me. If they didn’t know my identity they would want to talk to me.
Edit: Unfortunately it probably is their business. A poor choice of words.
For many purposes the companies don’t have to care your ”real” identity
Off the top example: If four of your friends are buying gifts for your baby shower, this is a signal that your other friends have the intent to buy baby gifts and could be marketed to.
Someone's going to say that's to cut down on fraud/increase security, right? Yet these services are going to (against many in the InfoSec world who are screaming "STOP DOING THAT") use SMS as a means of 2FA...
I'm a bit confused where the value add is for account security in making virtual telephone numbers such a hit or miss.
Get a password safe, and don't forget your complex passwords.
Yes, allowing someone to reset their password through a second factor is bad; but that's not 2FA, that's two independent 1FAs.
Between MongoDB, Jenkins and Elasticsearch, thats a whole ecosystem of pwnability that is probably just starting to be exploited.
..including any private data they can gather on you, via search, maps, analytics, browser..
I wouldn't put it past Google to be already indexing exposed databases (or continue indexing ftp), just not making it publicly available.
The probability of your phone number not being uploaded to Facebook is basically 0.
Whether or not that information was part of this database isn't clear, but it also isn't something the parent comment claimed.
> You are likely in this database if even a single one of your contacts uploaded their contacts to Facebook.
Shadow profiles are old news. The suspect claim is that the parent comment is more informed on this database than the source that published it.
> Whether or not that information was part of this database isn't clear
Yes it is. According to the source this particular public data dump consists only of entries with IDs linked a Facebook account.
> Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account
For the parent comment saying they were in the data set: My initial interpretation was they meant if one Facebook user had done so, and you were also a Facebook user, whether or not you had provided your #, it was now associate with you. Your interpretation might be correct though.
As with anything like this, consult a lawyer who knows this area of the law of you find yourself in this situation.
If the vendor refuses to fix the issue, providing the media with enough redacted info to have them publish a story will force the vendors hand.
Do HN readers know you can buy lists of millions of people's names and phone numbers from companies whose sole purpose is collecting them, like infogroup?
A major difference here is the ability - at scale - to associate people with their facebook accounts. There are people who do not want to be associated with by their facebook account, and reasonably so. Not sure why you don't think that wouldn't be a big deal.
I figured that ever since Facebook instituted the "real name" policy, this isn't necessarily possible.
Is this even enforced? I've had a fake name for years (and I have plenty of friends who've done the same).
IDK how it works; I just know Facebook requires my real name.
Imagine this: someone is on Facebook and wants to hide their identity for some reason. Best examples I can think of right now is teachers who don't want their profiles accessible to their students (because high schoolers can be little shits). Or someone trying to create a new life after domestic abuse. It makes full sense that they wouldn't want to give their full name so that they can't be found. Facebook isn't good enough in real name detection to get it right 100%. How could they?
With this sort of dump, a domestic abuser can much, much more easily find the person they abused, when that person was previously under a pseudonym.
This is just a small example. It gets much more complicated when considering how many millions of phone number:Facebook IDs were released.
Also, needlessly to say someone who gives facebook their phone number for verification purposes does likely not expect that the data is leaked or sold without their permission.
Sadly, this isn't the case anymore. People absolutely expect companies to sell or leak every last bit of PII data they have on all their customers now.
> The database was originally found by security researcher Sanyam Jain, who said that he was able to locate phone numbers associated with several celebrities. It's not clear who owned the database nor where it originated from, but it was taken offline after TechCrunch contacted the web host. There is no word on why the data was scraped from Facebook or what it was used for.
URL -> https://haveibeenpwned.com/
Only if they hashed them separately.
If I understand correctly, someone collected all the queries and all the results and made a phonebook.
I think Facebook cares, but at the same time they always benefited from these measures where they let their users see as much as possible.
Pretty funny. Years ago I very-begrudgingly verified my phone# on my FB account as my employer had me working on a FB integration... I knew I should have upheld my principles and not used my personal account.
I think at the time the only way to be a Facebook Developer was to verify your identity via SMS (or something like that) and you couldn't just create a fake/pseudonymous account for development purposes. I assume that is still the case, but I have no clue.
If I understood this story correctly, it was scraped from accounts that had this preference set to public.
Point is, Facebook probably already have it, the Enemy probably can easily get it.
Facebook is of course evil, I don't want to diminish their scraping and also security mishaps.
the amount of data scandals they had in the last few years is insane
Then rememberings this: https://arstechnica.com/information-technology/2018/03/faceb...
Makes you wonder.
> ..The data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new.
EDIT: Oh, you were asking "from where". I'd be curious to know the source of this database too, since it's probably just one of countless copies circulating..
White pages worked because there were less bad actors.