A note for people with US numbers who aren't finding their info:
> And finally, one last note on the data load process: At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading. The other codes are in progress and may take several hours more before they're searchable.
US numbers begin with international code 1, and it seems that they aren't yet searchable.
I was surprised that mine hadn't come up, since I've had a few Facebook accounts over the years with my phone number, and this explains it.
"When you search any of the endpoints on Have I Been Pwned, you can add a + prefix if you like and it'll be automatically stripped off when performing the search. Same with spaces and same with dashes."
As a foreigner I would say this is a bad thing. Ultimately, it'll be the outcry (or lack thereof) in the US that will determine whether or not Facebook will start taking people's privacy more seriously.
Given that the overall share of US accounts on Facebook is in the same range (FB has 2.6 billion users in total), I would say the US is represented exactly as expected.
Yes, please do this if you are protected by European regulations.
I also wish we could do more to put pressure on Facebook and other bad players. Can’t help thinking this is viewed internally as just more work for the legal department followed by an X billion euro “cost of doing business” fine after so many years.
It’s not the point. You can sue for damage if you want, but that is something else. The point of the regulation is to punish bad actors, not give money to users.
In German legal thought and practice, we have the distinction between Buergerrechte (civil rights, perhaps) and Menschenrechte (human rights).
The former is for citizens, the latter for everyone.
In the US, privacy falls in something like the former: there are supposed to be legal safeguards to keep US citizens from being spied on, but eg the NSA wiretapping foreigners is fine and even encouraged.
> In German legal thought and practice, we have the distinction between Buergerrechte (civil rights, perhaps) and Menschenrechte (human rights).
That is my experience in a couple of other European countries as well. Of course, some rights are reserved to citizens: vote (although that is changing for local elections), things like service at embassies and consulates abroad, and some aspects of immigration.
But except for these narrow aspects, the law should be the same for everyone: we are not a caste system.
Yeah these companies that rely on user data will NEVER delete your data once you submit it to them (regardless if they say your data is deleted or account closed). For company like FB you are the product.
My experience is completely opposite to yours. I have a facebook account, phone number added and verified, profile privacy set to "friends only", but I can't find myself in the leaks.
My understanding of the dump is that it was scraped, thus it's non exhaustive by nature. There's only half a billion accounts in it after all, and Facebook has far more.
I started taking and deleting my data off FB 5 years ago, after I knew better. I'm only on FB because of messenger, and checks FB less than once a month.
I think that's a better approach than suing them and getting the $10 from a class action.
My understanding is that all numbers in the dump correspond with Facebook accounts, so this shouldn't be the reason.
Another option would be that someone else has that number listed for their account. Has Facebook always required confirmation that a number is valid? I saw one my friends' numbers in the data except the account had a different name.
It is still PII which sometimes has specific laws and rules around its use depending on where you are.
If I give someone's social security number to a company that doesn't mean they can publish it on the front page just because the person it belongs to didn't hand it over.
It's your phone number (or possibly also the phone number of the person who had it before you) but, like images of yourself, they're probably in tons of places that you don't control and never will.
Every time Facebook/Gmail/Google/Amazon/LinkedIn/Tinder/whoever asks me to give them phone number "just in case" my first and only thought is "hell no". I haven't been wrong a single time.
Let's not forget the notable case of Twitter "accidentally" using your provided phone number for advertising purposes [0], and to this day still banning you after registration if you refuse to give it.
Twitter also had staff who leaked Twitter account PII from the Twitter DB to spies from the Saudi government, who have a habit of killing journalists from time to time.
Twitter is especially silly in that regard. The info page on why my account was banned implied that one of my tweets violated the community guidelines - although I never tweeted anything.
Even more frustratingly, there is a form to appeal a ban. After filling out that form, I got a confirmation mail stating that Twitter will "respond as soon as possible", or in other words, never.
I do not understand why they bothered to implement all that hijinks to waste my time. Simply disallowing signups without phone number would have been much simpler and less dishonest.
I had that experience, maybe they are more forgiving to IPs coming from certain countries or locations. IPs from my country tend to be treated as suspicious (not as bad as Tor but bad enough to be an annoyance) so as soon as I registered ok Twitter I got a notice about "suspicious activity" and about having to validate a phone number to be able to use the account. At that time (2015 I think, I don't have the account anymore) you could get around that by contacting support, explaining that you don't have a phone number and waiting a few days for them to manually unlock the account.
Edit: this happens with Google and Yandex as well, requiring phone number to sign up (Yandex can unlock you if you contact support). Microsoft isn't as bad and can work with just a secondary email instead of a phone number. Also the whole country is banned from downloading the Lynx web browser at https://lynx.invisible-island.net/
>as soon as I registered ok Twitter I got a notice about "suspicious activity" and about having to validate a phone number to be able to use the account. At that time (2015 I think, I don't have the account anymore) you could get around that by contacting support, explaining that you don't have a phone number and waiting a few days for them to manually unlock the account.
Same thing happened to me last year in the US. The kicker was that they automatically opt you in to product update, daily digest, etc. emails. But those emails don't have a 1-click unsubscribe - the unsubscribe link takes you to your account settings, which you can't access when your account is disabled. So you can't unsubscribe from the emails or delete the account.
You can either add a phone number to stop the spam, or search around to find the page where you can submit a ticket (because there's not a support link on the disabled account page) and hope someone gets to it eventually. They never even replied to my ticket, they just silently unlocked the account after a week or two.
Sadly, many companies now require a phone number to use their services. For example: Signal, Telegram, Whatsapp, social networks like Instagram and Vk. They don't like anonymous users. For some users, Google requires a phone number to sign up. Twitter requires a phone number if they see something "suspicious" in user's behaviour.
Not to mention whatsapp is actually broken. It's bound to your phone number and can't change it. If you change SIM, your account is wiped.
AND the worst: your contacts are not notified so if they send a message to the old number, it will just silently fail.
Absolutely horrible. I never understood how whatsapp could be phone-number bound and not account bound like everything else out there.
I've been using a MySudo phone number to use for signups when I'm forced to give out one. Has reduced the noise i get in my messages for my real number
If my banks are all willing to use my Google voice number, then any other site should be willing to as well. And yet, most websites that want a phone number won't take it. My GV account is in use for WF, Discover, PayPal, Steam, and it was previously in use at BofA when I had an account with them.
It's crazy the a phone number is a secret. The problem isn't having the phone numbers; it's all the terrible systems that only work if phone numbers are secret.
Phone numbers are not secret. These service ask for it mostly to be sure to get the right one (checking is expensive) and/or to have plausible deniability of your contentment when they abuse it later.
> "One last note on the data load process: At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 9 have completed loading. The other codes are in progress and may take several hours more before they're searchable."
Thanks, because the end of the blog post mentions 8 instead of 9:
> At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading. The other codes are in progress and may take several hours more before they're searchable.
One other attack vector with this data that I've not seen much chatter about is that the phone numbers (and other leaked data) are sufficient to create a Facebook Custom Audience and directly target the associated people with ads. Cross referencing these numbers (or pivot through names) with any external data source and you've got the capability to target specific voters, for example. Facebook made a lot of changes [eventually] to their Custom Audience abilities via user ID as a result of the Cambridge Analytica scandal, this leak makes it not too dissimilar in terms of how you could at least segment and direct target ads.
Getting to the point where we’re going to need phone, email, and SMS to be deny all by default. Can’t reach me unless you’re information is already in my contacts.
My phone number (and some other details) were part of Nano Ledger's database that got stolen last year. So, some entrepreneurial scammer started calling me on a daily basis a few months ago. Really annoying. I'm well aware my phone number and email addresses are pretty much public information at this point. I actually put that on my web site even. But stuff like this makes me even less likely to answer unknown numbers. Hilariously, the scammer actually called me while I was giving a security briefing to our company about enabling 2FA. I put him on speaker and we had a good laugh while the guy insisted in broken English laced with expletives that he "had my money".
A few months ago some criminals social engineered themselves past my bank's security as well. The first I learned about this was a funny conversation (by phone!) from an actual Deutsche Bank employee asking me if I recently changed my address and phone number and whether I opened ten new accounts. "eh no?!..." Basically their fraud detection system kicked in before these people did any damage. I made a point of not doing anything else than confirming information they already knew (like my old address, email address) and asked for an on site meeting to discuss things in more detail. I realized instantly I had no way of verifying anything I was being told on the phone and might very well be talking to a scammer. As it turns out this was for real and the person actually managed to find my "old phone number" in some archive. Otherwise all my contact information had already been changed by the scammers. Thankfully I answered that call. Apparently, this happened to several people.
Basically, what happened was some persons just called the bank's help desk, asked them to reset my online banking access codes, and then somehow intercepted the pin codes (thanks Deutsche Post) before they reached me. The theory is that somehow the security of the distribution system was compromised. As far as I an tell, nobody broke into my building or mailbox. Then started they using them to change my address, etc. They got caught only when they created sub accounts and started transferring money.
I've been called twice by my bank to warn me of possible fraudulent activity. Both times I hung up on them and called back at the bank's own public customer service line and asked them if that was really them calling. Once it was and once it was not, so I'm glad I was that careful.
The phone scammer, no. Just some idiot trying to get me to do stuff I should not be doing. Given how he conducted himself on the phone, he probably does not have a great conversion rate. People that do this are not exactly criminal master minds. But I guess some people get bullied into handing over their private keys, which I assume is what he was after. He clearly had some setup that auto dials numbers. After this, he apparently removed me from that list. So, tip: annoy the hell out of them and waste their time as much as you can when this happens to you. Putting him no speaker got a few giggles out of the team.
The criminals that got into my account got too greedy. The bank's fraud detection system kicked in and rolled back the transactions. But at that point they had complete control over my account. Very scary. If they had been more subtle, they could have likely stolen quite a bit. So, also not criminal master minds probably.
Possibly, but we can't do that either. What we need is some balance of both worlds. OOH, we do actually need to be contactable. OTOH, being too contactable means spam. I doubt there's a perfect balance, but either extreme come with too many problems.
Email has decent spam filtering, and I think that kind of cat-mouse system will persist. That said, there's "room" for more whitelisting.
"I doubt there's a perfect balance, but either extreme come with too many problems."
In principle, "pay me a small fee if you're not on my list, if I put you on my list now it's free" would work well (optionally refund someone who contacts you out of the blue that you approve of), but there's a lot of both engineering and social details between where we are now and such a system.
It doesn't take much cost friction to deter mass spamming. I don't think much problem would be left behind from the handful of overconfident spammers who think that they can bust the odds and it's worth 25 cents a message or something.
This is one of those ideas that appeals to economists and nerds, but rarely works out irl.
Artificially or intentionally aligning interests tends to be a "genie, make me a sandwich^" problem. There are lots of places where "reversing the charges," seems good in theory... but it never happens.
Anyway, linkedin have something like this. In practice, it feels like a better quality of spam, rather than a solution to spam.
Sounds like a good idea on which to base an ISP startup.
"Anyone not on your contact list will take $1 off your monthly bill for each phone call, SMS, or eMail they send to you (through our phone line & email servers)"
I found a novel solution by accident to this. I moved to a new area but kept my old number. 99% of my spam calls are from my phone’s area code. If you are not a contact and a number comes up from that area code, it is spam. If it is my new area code, it is a person or business trying to reach me.
Same (though "I moved to a new area" happened in 2004). At this point I've just blocked the entire old area code and neighboring ones, aside from existing contacts.
As do I. This is a difficult problem to solve especially as the signal to noise becomes worse as abuse becomes more common.
Ive had to wildcard block my area code (since I don't live there anymore) which captures 95% of my daily spam calls - but people can still leave a message to break through my wall if it's truly urgent. I don't see how this could work with SMS.
Even message requests on facebook/messenger have problems where you are unlikely to even see the request unless you check regularly.
No, I have never bought an extended warranty. However, I did today make good money on a business transaction because a stranger was able to reach me. I also had to delete some voicemails about extended warranties. This is a worthwhile tradeoff for me.
It's a hard problem to crack. Some legitimate places need to be able to call you without you knowing them ahead of time. Say your sibling was mugged in Mexico and the local little police station let them borrow the landline to call the only number they still remember without having to check their contacts in their phone. Are you not going to pick up?
There are a lot of these little edge-cases. Journalists, lawyers representing class action suits, government id expiring, and so on.
> Say your sibling was mugged in Mexico and the local little police station let them borrow the landline to call the only number they still remember without having to check their contacts in their phone. Are you not going to pick up?
Just wait for the deepfaked voice call scammers. Their best bet is to work up the hierarchy; a tiny local police station knows how to get in touch with a bigger police station that can contact an embassy, etc.
> There are a lot of these little edge-cases. Journalists, lawyers representing class action suits, government id expiring, and so on.
All of these use-cases allow someone to spend the time to contact you via your preferred contact method, whatever that might be.
I'm in my 30s and I can't think of a single time I have ever received a phone call that I didn't expect. I get several spam calls every day. I would make the trade (and recently have, I block all unknown numbers now).
I'm in my 30s and I can't think of a single time I have ever received a phone call that I didn't expect.
I've read that people not answering their phones is the number one reason that COVID contact tracing doesn't work.
But your comment makes me think that you've never had food delivered. Never used an Uber. Never owned a business. Never bought or sold real estate. Never rented a place to live. Never went to a restaurant with a wait list. Never done a lot of things that are perfectly ordinary, and require allowing people to contact you when they have questions.
Most delivery services with an app have messaging built-in so you don't need to rely on calls, but I also know when I'm expecting a delivery or a driver to pick me up, and if an unknown call comes from my area code (the one I'm actually in, not the one my phone number is in), I'll answer that. It's pretty easy to distinguish between times I might expect a call and all other times.
For all those other things, though, I'm not sure why you need to answer unknown numbers. I've never owned my own business, but did manage a small business and we had dedicated business lines. No one needed to call my personal phone. For buying and selling real estate, there are agents that act as go-betweens and you can put their number on your contacts list. For renting, put the management company on your contacts list.
Most delivery services with an app have messaging built-in so you don't need to rely on calls
I've used dozens and dozens of delivery companies over the years, and the only delivery company I've found that doesn't have its people calling on phones is DoorDash, and even that uses SMS. Plus, most of the best places don't use services, they have their own people.
we had dedicated business lines
Doesn't help you when someone needs to contact you in an emergency, like the alarm company, or the landlord, or security, or the police, thousand other things.
For buying and selling real estate, there are agents that act as go-betweens and you can put their number on your contacts list.
Sounds good in theory, but doesn't work in practice. There can be dozens and dozens of people and companies involved in such a transaction, and you can't predict who they all are.
For renting, put the management company on your contacts list.
When the management company sends a vendor over to fix something, you don't know what number they'll call from.
To "never" get an unexpected, important call sounds like a side effect of a quiet life. I envy you.
You're pretty much right on all of those. I do own a house (don't remember getting any calls, but that was a decade ago) and I do occasionally get food delivered (why would they call?). Otherwise you're right, I've never done any of those things.
All I can say is that I've had to make these calls myself and I was indeed quite happy when my family members picked up. It's hard to imagine it until it happens to you, but when you only have two phone numbers you have memorized and nothing else in your possession someone picking up is magic.
I know that we deserve something better than what we have now. I know we shouldn't have to put up with spammers calling constantly, but we don't live in a perfect world yet. We live in a messy world where sometimes people need to make a phone call and hope their loved ones pick up. I can think of a plethora of possible technical solutions, but that's besides the point. We need phone numbers to work. Let's focus on solving that problem, not trying to imagine it doesn't exist.
My iPhone is set to "Silence Unknown Callers." It's the perfect compromise. If a call is legitimate they'll leave a voicemail and I just call them back.
I discovered recently that my Verizon phone service’s voicemail had been full for several months. I’m not sure how I was ever supposed to discover that, but I ignored what turned out to be an important phone call and got burnt because I assumed I’d get a voicemail.
Non-technical speculation, but based on my own experience as an ordinary Facebook user:
I'm increasingly confident that this breach/leak has come about mostly through the privacy search setting (buried in Facebook's privacy settings - https://www.facebook.com/settings?tab=privacy -) which allows "Everyone" to search for a number in order to find your profile if so enabled.
This is a bit like an option that PayID/Osko (instant bank transfers) in Australia allows - one could bash through random mobile numbers and discover more information than just the number. I've always found this option to be creepy because I don't people who might otherwise have my phone number legitimately to be able to facestalk me.
Please note that this is separate to displaying contact info publicly on one's profile page - yes, there is a dizzying array of different privacy settings on Facebook. Would Mark Zuckerberg provide have ever displayed his phone number publicly? I doubt it. But would he have allowed others who already have his phone number to search for him on Facebook? I'd say almost certainly yes.
I used to use Facebook more than I like to admit and I have provided my phone number to Facebook in the past, yet have managed to avoid being in this breach, whereas some people I know are in the data set. This means I'm quite sure that I'm not returning false negatives with the search.
Looking at the full breakdown [0], a bunch of middle eastern countries have near 100% breach. It seems like they were the target, and all the other countries were just collateral damage maybe? Canada, US, UK, all sitting around 10-20%.
But I too noticed the breach rate in the Middle East seemed unusually high, except my initial assumption was that perhaps the way Facebook was introduced there led to different behaviours in how one finds each other on Facebook. Perhaps it could be even something as simple as small differences in translation that lead to different behaviours when it comes to setting up a Facebook account.
The reason this is my initial hunch (rather than any kind of targeted campaign) is because different parts of the world interact differently with different communications platforms. For example, iMessage is very popular in USA whereas other parts of the world favour WhatsApp, or Telegram, or WeChat, etc. Is there any one concrete reason why one population might choose one "less secure" app over another "more secure" chat app/social network? I'd say probably not and yet, we see large variations depending on which border surrounds a user.
So perhaps a similar 'benign' explanation could explain the high breach rate in certain countries. Perhaps phone numbers are treated differently there too? Other than that, I have no idea. Unfortunately, I know very little about the Middle East let alone the languages there, so this is mostly just a guess.
The rates in those countries are way too high to be some optional feature like a messenger. It has to be something that was 100% turned on in those countries, but maybe optional/opt-in in the west? Or maybe they were doing gradual rollout of the feature, and they had rolled out in those countries fully and were at like 10-20% rollout in north america?
After my wife's suicide (See the documentary Pain Warriors) I took over Karen's FB account as my own, and I changed the name on the account. Long before this breach I have been getting SMS Spam addressing me as Karen, on a number that did not exist when she was alive.
FB data can be the only possible source of that spam.
The spam is always trying to sell male enhancement products to 'Karen'. Anyone know how to stop this SMS spam crap?
Sorry for your loss. Right now I'm pretty happy that I scrubbed all information of my FB account months ago. If only people could stop using messenger so I could delete it.
But I have a similar, but unrelated to FB, problem in that every month I get an offer to work as a nurse in Norway from different agencies. I figured they scraped some "find the number"-site here in Sweden long ago and since my mothers name was on my bill I guess my number somehow came up under her name.
It's been annoying for years but since my mother had a some (non-corona) medical problems last year it has been downright infuriating at times. Anyone know how to make it stop when there is a bunch of different agencies messaging you?
Would you mind elaborating on how you "scrubbed" information from your fb account? It's been years since I closed my account but I know (e.g. see this article) this is not enough, so I consider reenabling it only to delete all my info, and then finally (?) deleting it.
I deleted everything, going through every page and my whole timeline etc pressing delete on everything. I considered changing my number etc. to nonsense and wait a week and the delete it but I figured facebook are probably versioning that stuff anyway.
Right now my profile picture is a plastic duck, there are no photos and no information apart from my name and my throwaway-email adress (which I hope is hidden from the world via settings).
There is also a "privacy page" there where you can check what information they have saved about you and if you forgot to delete something. I would probably have done it this way first if I where to delete my FB-account but for now I need messenger.
If you are running firefox you should also install "facebook container" even if you don't have an account. :)
I think it's pretty hard to stop incoming spam when the number itself has been made public.
The only options I know would be:
a. Play whack and mole, report the number to the authority in your country that handles this kind of spam activity.
b. Use some kind of mobile application that filter out the spam SMS. This one is kinda hit and miss, since the number data is coming from community reports, so some spam might pass the filter. And there might be some false positives from the spam filter.
I also would like to hear if there's alternative solution for this problem, other than changing the phone number itself.
My phone has an option called Do Not Disturb mode. I have set a schedule to turn it on everyday from 12AM to 11:59PM. What Do Not Disturb will do is block (silence the notification or ringer) every message or call from someone that is not in your phone book. While unfortunately you'll still get the spam SMS, but you wont get the alert.
The only way I can see striking back at these spam calls is to pick up the call and waste their time, because its expensive. Also if I pick up that means someone else is not getting scammed. I try to get as far along in the scam process as possible.
I enjoy the pixel line of phones having google assistant answer spam calls for me. Sometimes its fun to watch the conversation they attempt to have with the assistant.
This isn't just pixel phones anymore, and it hasn't been for a while. You can also tell that it's not a person sometimes (specifically extended car warranty for me) if you have a cheap phone like mine, because you can hear the message on the other end start as soon as the line opens, before the phone shuts off the speaker and starts playing it's own message; once the assistant finishes talking, you can see the transcript start in the middle because the other end doesn't recognize Google assistant like it (probably) would an answering machine.
At least here human operators apparently are paid for call duration and they will prolong the call up to 15 minutes and you don't need to say anything.
If you only mean "how not to be bothered" (instead of radical actual solutions of legal nature etc.), and the sender is a recurring number, very probably your phone OS has an option to reject calls and/or messages from specific numbers.
There was a spammer that bothered me, I blocked the number, and started receiving spam from adjacent ones (same number, just the last digit increasing by 1). Had to block 5-6 for them to go away.
As a Syrian who have used many throw-away accounts on FB, this is a life or death matter for many of us. I'm sure the Syrian regime will use this information to track activists. I have checked and there are 7 million leaked accounts from Syria, probably covers everyone who uses Facebook in the country. Facebook made it mandatory to provide the phone number and now that this is leaked, they bear the moral responsibility for all the people who will be affected by this.
> they bear the moral responsibility for all the people who will be affected by this
Facebook should not be held responsible for dictatorships and totalitarian regimes killing people - even if they use Facebook's leaked data to do so. It's quite unfortunate, but the responsible party to blame is still the people actually doing the killing.
I searched the database and haven’t been pawned but of course I know why, I never shared my phone number with FB and this confirms my idea that sharing anything with FB is a terrible idea, even the real name with correct spelling can cause issues. I urge everyone who wants to still hold a social media account to add an alternative spelling for their name. When info leaks or one gets unsolicited messages of any kind out it becomes very easy to backtrack to which social media account the leak is coming from. Perhaps one more reason (from the many) to disable that account.
Found my number on there too even though I've deleted Facebook for at least 5 or 6 years now -_- Not sure when I gave them my number either, I hope it wasn't scraped from someone else's contact list...
At least it makes sense why I received a bunch of spam calls over the weekend.
Anyway it's probably good practice to recycle your number every few years, and not use it for 2FA to make switching numbers a lot easier. Who knows what services I'll be locked out of once I change, let's hope not too many.
I can’t imagine telling everyone I know that I’m changing my number every couple years, and I’m not even calling/messaging a lot of people nowadays. I have a family member who did something similar(not on purpose) and I still have 3 of her numbers and still get confused which is the working one.
I had a company phone about 6 or 7 years ago for a company I worked for at the time. When I was on my way out they unilaterally revoked my company-provided cellphone after convincing me I should get rid of my old private number for theirs.
I'll never do that again. It happened shortly after ditching social media and I just about all of my contact info and I haven't been in touch with some old friends because of that since then.
Even if you had the time to transfer your contacts, etc, something will inevitably get missed.
Hell, I've updated family and friends to an email address I've been using for closer to a decade and they still email the old one...
I know exactly what you mean, there's only so many times you can append "New" on the end of a contact name!
A good chunk of people will probably communicate mostly on platforms like WhatsApp/Telegram/Discord/whatever that don't need numbers at all or facilitate switching of numbers without your contacts having to do anything. I don't think that will constitute anywhere near the majority of people across the world though, switching numbers will definitely be a pain for most.
"Anyway it's probably good practice to recycle your number every few years, and not use it for 2FA to make switching numbers a lot easier."
Ironically Twilio of all places forced SMS 2FA on all accounts earlier this year.
As in, one day you could no longer log into your twilio account without giving them a phone number. You are locked out until you do.
Ironic in a few ways ...
First, twilio numbers are not mobile numbers - they are voip numbers - and cannot be used for most 2FA authentication services because they cannot receive messages from short codes. So it's ironic that twilio forces you to use a non-twilio number for their 2FA.
Second, many twilio use-cases (like mine) involve building a twilio infrastructure to replace my existing phones/numbers ... and now that is broken from the bottom up because I have to use a mobile phone with a fixed provider just to use twilio.
The bottom line is: none of this is for me or my safety and security. Twilio has a spam problem and that spam problem is very hard to solve. Forced pairings of physical phones and SIM cards is just a desperate way to throw sand in those gears to slow it down a little bit.
I have had a Twilio account for years, and have always used the proprietary MFA implementation from their Authy app. I don’t remember being forced to switch to SMS MFA.
I thought this was the norm. I've had the same number for 20 years now, though have moved through many different area codes since. But, I must be the odd one, because I get asked regularly why I have the area code I do, and the answer "because that's where I was living in 2001" doesn't seem satisfactory.
Thanks, I was looking for that. Aside from linking my name to my cell phone number (which I really can't even assume is private anymore) there's nothing private in there for me.
This set is missing Australia yes, but not the other set Troy Hunt was sent - he covers this in his blog post and tweets. There are at least two sets floating around. The ones loaded into HIBP do contain Australian numbers - I've checked.
I'm slightly surprised to find that my number has apparently not been pwned, given the huge uptick in spam calls that I've been receiving which seems to be coincident with the Facebook leak.
I have noticed an uptick in the number of scam calls and texts I've been receiving over the last few days. No surprise that my number was included in this dataset.
This page [1] suggests that "non-material damages (for example distress)" are sufficient to "claim compensation from the website [...] as they have breached the data protection law by not providing adequate security".
I've gotten spam calls since the breach, sometimes in the middle of the night while trying to sleep. That's distress.
I'm speaking hypothetically of course, I haven't actually been affected by this leak (so far).
But that doesn't seem hard to prove at all. At the very least, you could claim that Facebook's leak forced you to pay for identity theft protection/monitoring as a very reasonable precaution, and whatever that cost you would be the damages.
Then of course there's the possibility that someone did actually steal your identity and used it to drain money from your accounts, or simply caused you to waste a bunch of time hunting down for example fake accounts opened using your information, credit cards, etc.
And I'm not a lawyer, but I'm pretty sure somewhere in all this fuckupery you can throw in some punitive damages.
How you gonna steal someone's identity just by knowing their phone number? You know that's something that hundreds of people and organizations already know?
It's not just their phone numbers, I've looked at the data myself and it's this:
* full name
* phone number
* country/state/city of residence
* country/state/city of birth
* relationship status
* date of birth
* employer
* email address
That's enough to do identity theft, enough to scam people (just look up Jim Browning's various videos on youtube), and with social engineering techniques the sky is the limit on what can be done with this information.
I'm sure not to be the first one to point this out, but checking other people's emails is quite revealing. It's very much documenting in public which sort of websites about every person you know is visiting. Among them [1] "Baby Names", "Ashley Madison", "Adult FriendFinder", "diet.com". Want to profile your friends – there you are.
I wonder if the benefits of haveibeenpwned outweights this.
Troy has covered this several times, but some sites, even showing in the PwnedWebsites list, are not viewable until/unless you confirm control of the email address or Domain.
e: To be clear, the Ashley Madison, and Adult Friend Finder (both breaches) are denoted on the list as not being publicly searchable.
I just checked myself and thankfully I've apparently only been in a few breaches, but of the ones listed, I only knowingly had accounts on LinkedIn and Dropbox. Nothing embarrassing because I'm smart enough to use burner accounts for embarrassing stuff, but I only even recognize last.fm and LuminPDF as services. I'm surprised last.fm still exists. I guess I might have signed up for it at some point and forgotten.
My phone number isn't in here anywhere, so lucky me, but it doesn't make a difference. The State of Texas finally forced me to get a Texas driver's license in order to continue being able to vote, and the State of Texas sells your address and phone number to marketers once they have it, so my number is trash now anyway. 99 out of 100 texts and calls are either politicians or people claiming to want to buy one of my houses. I basically no longer use a phone except when my dad calls.
I guess the plus side there is I'm somewhat immune from whatever location tracking can't be disabled since I don't even take my phone with me most of the time when I go anywhere, but that was an old habit from when I worked in a SCIF and couldn't bring a phone with me anyway.
I did a lot of searching through the Ashley Madison dump back when it came out. It was pretty easy to find people living on my neighborhood that had accounts. They might not have done anything (it was just billing details after all) but any of that information could have easily been used to blackmail someone. There were also a whole bunch of people using .gov or .mil email addresses. Like if you are going to cheat on your wife, don't make it that easy for someone to realize that you can be exploited for government secrets.
Now I'm wondering how this actually plays with legislation such as CCPA or GDPR, as it is quite revealing even without the more delicate sites mentioned here.
One thing I didn't find on the website was a way to get an email with the actual data that was leaked so I can evaluate what's at stake. Showing it online would be poor privacy but sending it to the email should solve that.
Some of the leaks are from companies I don't even know, that work behind the scenes aggregating information. Particularly for those I'd like to see what was leaked. For the services I actually used directly I have a clearer idea.
> One thing I didn't find on the website was a way to get an email with the actual data that was leaked so I can evaluate what's at stake. Showing it online would be poor privacy but sending it to the email should solve that.
Not it would not solve that since HIBP would have to store that data (which they currently don't) and thus might be subject to leaks themselves.
I tried fully deleting my Facebook account multiple times about 5 years ago. Each time, it became clear that my information was never leaving. Friends were still able to pull up my account. My credentials were still being recognized and allowing me to login to an account I was told was now nonexistent.
Now I see my phone number was part of the breach. I am so fed up with Facebook.
> Facebook: In April 2021, a large data set of over 500 million Facebook users was made freely available for download. Encompassing approximately 20% of Facebook's subscribers, the data was allegedly obtained by exploiting a vulnerability Facebook advises they rectified in August 2019. The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address. Most records contained names and genders with many also including dates of birth, location, relationship status and employer.
Troy says: " At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading."
Interestingly, several cellphone numbers I know to be present in one set of leak data which start with international code 4 are not detected by HaveIBeenPwned.
Note to anyone that cares: Make your data as stale as possible: you can't change your address easily, sure. But you can recycle phone numbers (once a year, minimum). Change your credit/debit cards yearly (say to your bank you 'lost' it).
When ordering online, always, always, always use a fake number, it's not required. Always use a fake name where possible. Sure, you need to provide that as a 'billing' address, but in some cases it stops other third parties getting that info (on eBay you can type a random name to ship to, I've had fun with this :) ).
But lastly, LOL. Giving your data to facebook this is what you deserve, and for society accepting facebook as a standard part of life.
> When ordering online, always, always, always use a fake number, it's not required
Don't do this if you order anything that doesn't ship small parcel. The freight company may need to contact you and it will complicate matters and delay your final delivery.
> When ordering online, always, always, always use a fake number, it's not required
Until something's gone wrong in the process and they need to call you to clarify/fix it. (happens regularly to me due to address suffixes not propagating correctly through crappy systems)
I do something similar when a site asks for my birthday, i used to pick a random date, but sonce its sometimes used to reset password or asks u to confirm i just use the first of january of the year i was born so i can make sure i remember what i put.
When birthdate is tied to an account, I pick a random one and store it alongside the username and password in KeePass. Same as the "security questions"; I make up and store nonsensical answers. E.g. "Q: What was your mother's maiden name?" "A: Blueberry pie."
I do that as well, but I dread the moment I'll have to call support through no fault of my own and they'll ask me for the answers to some of these questions.
I mean, probably anyone could call and start reading off the letters from "correcthorsebatterystaple" and the support tech will go "oh yeah, you're one of those people who thinks they're clever with security; here are all your account details"
Doesn't that kinda negate the goal of using a fake birth date? After all, they don't really care whether you give your real birth date, it's enough that it is the same on that other website they get your personal information from to correlate.
I don’t care if someone leaks my fake DOB in a Dropbox hack and then tries to reset my Netflix password.
Websites that use my real DOB are usually linked to my identity, so I’m much more concerned with protecting them from, eg social engineering attacks [0].
I guess the good news is that I still have identity monitoring from that time where the federal government gave up my information, including SSN, phone numbers, finger and toe prints, etc.
I just logged in to Facebook for the first time in years to check the data it has on me. Luckily I never added my phone number or address, so should hopefully be in the clear.
Did you ever set up SMS 2fa? Did any of your contacts use the Facebook app to sync their contacts (at least at one point a default behaviour)? Then Facebook has your number. I remember when I still used it being promoted by a bar at the top of the web UI "Is this your number?" With my actual number suggesting I add it to my profile, so I know they have mine.
Despite using 2FA and listing my number on my profile - albeit restricted to "just me", I don't appear in the data. It's not as simple as they just having a record of it somewhere.
I'm in the same situation and very surprised. I've sat here wondering if I'm entering my numbers wrong, or if I'm really not in it. I've read the blog post and I'm entering the 1 in front of my 10 digits, because I'm in the USA.
My wife's number isn't in there, either. I'm just really surprised, because I checked facebook the other day and it said I was searchable by email and phone number.
I even searched my email address, and a lot of other breaches show, but not Facebook.
Likewise, it seems there's more nuance to this leak. I checked the data out and a large number of my contacts have correct numbers in it. At the same time, numerous people don't appear in it, even if they do have a phone number on their profile.
I've been intentionally breaking my social graph since at least 2012.
Looks like its worked here.
When I make a Facebook account, usually for my living complex's community or a bunch of Gen-Xer's doing a burning man thing, I use a new email or new phone number for signup and one time passwords.
I don't let it get access to my contacts, assuming I inadvertently installed the Facebook app on a phone.
Doesn't look like they meaningfully go deeper than that.
I find the social graph to be very fungible, so if I really ever want to recreate it I can just add my phone number or give any app access to my contacts. This knowledge also lets me not be married to any of these services.
I'm very content downloading the account data and then deleting the account.
I have had the exact same experience. Interestingly, it took them a few tries to get to my actual number and they still carried on throwing other random phone numbers I did not recognize.
Try creating a new facebook account today. The site won't let you do that without verifying a phone number. The difficulty level increases if you try doing so behind a vpn.
Same goes for other SM sites like Twitter.
Don't they have a "real person" policy now? ie. not only phone number but as well a requirement to upload a passport style photo. Concidentally on entrance to US a camera makes a high resolution photo of every traveller during passport control.
I believe they have always had this policy, though it wasn't particularly well enforced when they opened up the platform to all comers. I actually had a Facebook account before I even first got a mobile phone at all, back in 2004 when you needed a .edu email address to sign up, which just meant they were delegating identity verification to the university. I think people were fairly comfortable with it back then because the only other users who could see you were people from the same school and it just mimicked the physical "facebook" that universities already published and made available to everyone with directory listings including your official photo and the phone number and room number of your dorm if you lived on campus. There was no open network. You could only even search for people from your own school.
Obviously, the platform has radically changed since then, but they have gotten a lot of mileage out of the illusion that you could freely share what you wanted because the only people who were going to see it were people who already knew you anyway, which was at least somewhat true at first.
Haha, no. It’s enough if one of your friends/relatives/etc. had allowed Facebook/Instagram/WhatsApp/etc. to scan their contact list. Your phone number is in there, just not shown, trust me.
In fact Facebook used to show creepy suggestions when such cross-pollination of data occured, like “Click here to confirm that XXXXXX is your phone number!”, but they stopped doing that a few years ago.
This is very strange. I definitely have a phone number associated with a facebook account because at some point in the past I used FB 2FA. I have not deleted that number. I have tried it in several different formats, including + country code, leading country code, with and without dashes and I am getting "Good news" message.
I’m so confused. I intentionally refused to give my phone number to facebook and it is not set in my profile, yet my number was pwned in this facebook breach. Is FB associating or storing my number without permission? I have a different number set for 2-factor and amazingly it was not pwned!
I think you may have allowed Facebook to allow other Facebook users to search for your profile via your number. Can you check my earlier comment at https://news.ycombinator.com/item?id=26712835 and let us know whether or not this is/was the case?
> "Facebook Settings > Privacy > How people can find and contact you > Who can look you up using the phone number you provided?"
The data would have been either from abuse of API's by third party apps or find your friend. From the dataset, it seems to be exclusively limited to the data immediately viewable on your profile, hence the reason so few emails appeared in this leak.
I permanently deleted my Facebook account September 2019. My phone number was included in this data breach, which was apparently August 2019. So close. If only I got rid of it sooner.
I've been pwned. Is it known when this breach occurred? I have seen a huge spike in spam calls over the last 3-4 months and now I'm wondering if it was bc of this breach.
my Facebook account got hacked/stolen a few months ago (didn't notice since I hardly ever use it), and Facebook won't give me back access to it even after providing photo ID etc., citing coronavirus-related labor shortages or some such bullshit. but hey, at least now HIBP has the hacker's phone number instead of any of mine!
Over the years, many people who were stuck in the Facebook platform have been coerced by Facebook into providing a phone number to “verify” their account. The other choice given to them was (and is) to lose access to the account because Facebook believes it’s a fake account or a spam account or a “violation of its community policy”.
In other cases, Facebook may get the phone number because someone uploaded their address book/contacts to it. This information shouldn’t be in the user’s public/private profile (even though Facebook would store it internally, use it to figure out other connections and “show relevant ads”).
I expect many of these "people search" sites to link to your fb profile soon using this breach.
I expect the more sophisticated ones to crawl all your social media accounts (twitter, chat apps, etc) by abusing reverse look up using your phone number.
It's not at all a random website. haveibeenpwned is renowned. Your phone number is not uploaded to the server, instead your browser asks for a whole range of (hashed) phone numbers and checks locally if yours was one of them.
HIBP is indeed probably just fine, but I'm not sure how the phone number searching works. "There's no k-anonymity implementation for phone numbers at this point in time."
Is it just me or... why do people even share their phone number with Facebook? What did you use it for? It wasn't mandatory or anything. Why the Pikachu faces?
My number is on my profile, so that my friends can contact me shall they lose my number. Less important now that messenger exists and we can access it any time, but I put it there before it existed. It's come in handy in the past.
I also don't consider my phone number "sensitive" information I want to keep secret - it's already quasi-public and something I give out when I want people to be able to contact me.
I grew up looking people up in the physical phone book when I lost their number, fwiw.
Many companies present you with the opportunity to "Protect Your Account" with SMS, and for that protection they 'just' need your phone number.
Turns out the phone number is the best unique identifier and is the perfect key for joining up lots of disparate sources of data. It's the kind of thing that you could either sell directly or use as an index to determine things like your estimated income.
It wouldn't surprise me if Facebook has had multiple technical methods for devising/stealing and disingenuous "protect your account" campaigns for willingly turning over users phone numbers.
I have my phone number and mailing address on my Facebook, set to friends only.
Why not? When I grew up, we had a phone book listing everyone’s name and address and phone number so you could find them to contact.
I consider all of this essentially public information and would rather make it easier for people I know to contact me. If it gets lost in a breach, whatever. I already get plenty of junk mail because I give to charities and they sell my address.
In addition to other reasons already given, I'm not sure if this is still the case because I haven't used Facebook in a while, but back in the day, the only options for 2FA were code generator in the Facebook app itself or SMS. So if you didn't want to have the Facebook app on your phone, giving them a phone number was the only way to enable 2FA.
Your comment is disingenuous. Facebook has been around for nearly two decades. There's plenty of time there for people to make mistakes and try to fix them. Unfortunately they're competing with their contacts who re-add those same mistakes and also competing with Facebook's own incentives to not delete data.
It'll be fun if/when any of these numbers can prove they requested Facebook to delete their data under GDPR.
I searched my number(s), no hits.
I did a +/- a few numbers, and there is a hit. The message is though: "Oh no — pwned!"
The only information exposed to me is that the person with that number, has a FB profile. If I am to trust FB (which I don't - for nothing) is that FB has this person's number and lost it. I place no reliance to anything that FB states. For all I know that person is a WhatsApp user and the FB branch 'stole' the number and added that to their FB account (yes, I know this is not how data works, but this is how FB works).
(semi-rant follows - apologies)
There is a mention of 2FA/MFA in another comment. I wouldn't be surprised if FB already has a 'super profile', where all data by FB-WA-IG are merged. I believe that would be a nightmare to do, but hey, FB is good at nightmares.
Edit: I feel this is a semi "Ashley Madison" moment. People who have a 'secret' FB profile may get busted by their BFs/GFs.
> And finally, one last note on the data load process: At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading. The other codes are in progress and may take several hours more before they're searchable.
US numbers begin with international code 1, and it seems that they aren't yet searchable.
I was surprised that mine hadn't come up, since I've had a few Facebook accounts over the years with my phone number, and this explains it.