While I'd trust HIBP more it isn't doing anything significantly different with the lookup process, is it?
"There's no k-anonymity implementation for phone numbers at this point in time." https://www.troyhunt.com/the-facebook-phone-numbers-are-now-...
Putting a number sends it directly in the GET request: https://haveibeenpwned.com/unifiedsearch/%2B1%20123%20456%20...
Edit: as does looking up an email. It's password lookups that use local hashing/k-anonymity: https://haveibeenpwned.com/Privacy
I have to prune my email inbox like a garden. I'm constantly unsubscribing from stuff. It's just the reality of the way how the internet and email works, unfortunately.
I imagine marketers find it significantly more valuable than an email address.
what happened to the good old days of the white page phone books.
The phone companies required you to purchase your privacy for a monthly fee if you didn't want to be included in their publications.
Had these publications been privacy focused from the start and required opt-in instead of the extortion for privacy scheme; I have a feeling that these directories would not have existed in the form that they did, if at all.
Phone numbers are a small search space. You can just iterate through it to generate all possible phone numbers.
Of course, I don’t know that your phone number belongs to you, but I have it. The same applies to this site if you enter your phone number in it. They will have your phone number… so what? They don’t know it’s your phone number, just that it‘s a phone number, which has zero value.
If you search the web for your exact phone number, there’s a very good chance your phone number is on several “who called me?” websites already. How did they get your number? They didn’t. They just list every possible phone number and hope people will add comments saying who called them from that number.
What information are you actually disclosing here, given that the number itself is worthless?
That the phone number is associated with somebody who wants to know if it’s part of the Facebook breach? What value is that information / what are the risks associated with it? Scammers wouldn’t use it because anybody who is looking this information up is probably less likely than the average person to fall for a scam even when tailored to this breach. They’d probably get a better hit rate by excluding these numbers.
How about associating it with whatever information your browser leaks / whatever tracking they can add? Use private browsing / incognito to reduce that. What value is knowing that a person with an arbitrary phone number uses Chrome vs Safari? What value is knowing that a person with a phone number from a certain area is browsing from an IP address also located in that area?
All of the comments people have made about privacy here seem to be useless “oh my god, now they have your phone number!” panic that doesn’t seem to realise that a phone number in isolation is worthless. It’s possible that there are potential privacy problems here, but as far as I’ve seen, nobody has actually mentioned any.
Just about all the others get to go to voicemail and I’ll read the vm messages at my leisure as my phone transcribes them for me.
Best thing they ever did was cancel their (at least) 50 year old phone number.
But it's the same as spam... getting one victim out of a hundred thousand is probably enough to make it pay off.
Any idea why? It it just luck? It is scammers don't target Japan? Is it some technical difference that makes it harder/impossible/costly in Japan? Is it an enforcement issue?
Also what happened / is happening with https://en.wikipedia.org/wiki/STIR/SHAKEN ? Will it solve the issue?
Then you've got to find voice talent. You can find English voice talent all over the globe, Japanese voice talent is harder to find and probably costs more.
STIR/SHAKEN will likely help somewhat. It should make it easier to track down accounts of callers, but we'll have to see if enforcement becomes effective, or if actionable complaints make enough of a difference. I don't think telephone companies regular record enough metadata for effective enforcement at the moment, and there isn't a reasonable way to report abuse, so most people just shrug and pick up less calls; we really need a useful reporting mechanism (dial * something after you get a spam call should work IMHO; but that's not me doing the work to correlate reports and what not)
Now I realize, two days ago I used this website.
Has anyone else had a similar experience? I am not assigning blame here but pointing out a coincidence. It would be great to hear if others going through the same thing.
I'm not saying this article is crap -- just that if it is, you probably just happened to see it before the white blood cells kicked in.
For example, HIBP does not send your password (or its complete hash) to the backend in order to find if it has been previously exposed. They use this method: https://blog.cloudflare.com/validating-leaked-passwords-with...
If that's the case I suggest he would google Bitcoin's SHA256 numbers too. Heck, at ~55k USD per bitcoin, he would become, literally, multimillionaire overnight. What a buffoon! And it hit HN top as well, pfff.
Author here, and yes that is what I claim. This is actually crypto 101 stuff!
1.) Pre computing SHA256 of a small set of numbers (1111111111 - 9999999999) takes only a couple minutes on your average laptop. That is how people find the preimage (password) of leaked password hashes! More sophisticated techniques use rainbow tables etc.
2.) The preimages of Bitcoins, github commits and file hashes have much more entropy to be able to brute force them. Hence, I will not be able to (with todays computing power) find a pre-image of Bitcoin's SHA256 etc. and sadly not become a millionaire overnight :(
3.) Not related to this but hashing functions do get 'weaker' over time as computing power increases. We don't use MD5 anymore for a reason. SHA1 has attacks now (https://shattered.io/). This is why git to move to SHA256 (https://lwn.net/Articles/811068/). n number of years from now, there will be collision attacks on SHA256 as well, at which point we'll have to move to a better, stronger hash!
An even safer way: Look at your phone log. If you haven’t received 25 spam calls in the past week, your number probably isn’t in the list.