Hacker News new | past | comments | ask | show | jobs | submit login
Best to avoid using the “Have I been facebooked” website (code.express)
34 points by code-express 4 days ago | hide | past | favorite | 52 comments

> The answer is: use HIBP, or https://haveibeenpwned.com/. They’ve got the technical (and social) bits of this process right!

While I'd trust HIBP more it isn't doing anything significantly different with the lookup process, is it?

"There's no k-anonymity implementation for phone numbers at this point in time." https://www.troyhunt.com/the-facebook-phone-numbers-are-now-...

Putting a number sends it directly in the GET request: https://haveibeenpwned.com/unifiedsearch/%2B1%20123%20456%20...

Edit: as does looking up an email. It's password lookups that use local hashing/k-anonymity: https://haveibeenpwned.com/Privacy

The significant difference to me is you know exactly who is running HIBP, and he is open about what he is doing producing a long blog post about it.

Oh I agree, just that the article is saying 'look the string gets sent to the server!' and making out HIBP isn't doing so.

It's kinda crazy how paranoid people have become around stuff like phone numbers. Even if this site were recording the numbers, what good is it?

There used to be a time when everyone received a book full of everyone's phone number, name and address... Crazy!

Those numbers rarely were used as access control then, though.

I've encountered a surprising number of people who think that posting your email address publicly is a security risk.

It certainly will get you more emails. Even the unwanted kind.

Eh, so what? I've had the same gmail email address for around 17 years now and I get like 50 spam emails a day that are successfully filtered by their spam protection.

I have to prune my email inbox like a garden. I'm constantly unsubscribing from stuff. It's just the reality of the way how the internet and email works, unfortunately.

Your phone number is a short unique identifier for you which follows you around for potentially your entire life, because the hassle of changing it is significant.

I imagine marketers find it significantly more valuable than an email address.

We already know all possible phone numbers. I think the value would be in associating it with at least one more piece of data to correlate it with other data. At least tie it to some sort of demographics, but preferably an exact individual.

It's crazy how we have gone from the phone company publishing an entire index of everyone's names, addresses, and phone numbers, to ...this.

what happened to the good old days of the white page phone books.

I'm not entirely convinced the good old days of the whitepages was actually good.

The phone companies required you to purchase your privacy for a monthly fee if you didn't want to be included in their publications. Had these publications been privacy focused from the start and required opt-in instead of the extortion for privacy scheme; I have a feeling that these directories would not have existed in the form that they did, if at all.

Guess what? I already have your phone number. So do the marketers. And we have everybody else’s in the world as well!

Phone numbers are a small search space. You can just iterate through it to generate all possible phone numbers.

Of course, I don’t know that your phone number belongs to you, but I have it. The same applies to this site if you enter your phone number in it. They will have your phone number… so what? They don’t know it’s your phone number, just that it‘s a phone number, which has zero value.

If you search the web for your exact phone number, there’s a very good chance your phone number is on several “who called me?” websites already. How did they get your number? They didn’t. They just list every possible phone number and hope people will add comments saying who called them from that number.

What information are you actually disclosing here, given that the number itself is worthless?

That the phone number is associated with somebody who wants to know if it’s part of the Facebook breach? What value is that information / what are the risks associated with it? Scammers wouldn’t use it because anybody who is looking this information up is probably less likely than the average person to fall for a scam even when tailored to this breach. They’d probably get a better hit rate by excluding these numbers.

How about associating it with whatever information your browser leaks / whatever tracking they can add? Use private browsing / incognito to reduce that. What value is knowing that a person with an arbitrary phone number uses Chrome vs Safari? What value is knowing that a person with a phone number from a certain area is browsing from an IP address also located in that area?

All of the comments people have made about privacy here seem to be useless “oh my god, now they have your phone number!” panic that doesn’t seem to realise that a phone number in isolation is worthless. It’s possible that there are potential privacy problems here, but as far as I’ve seen, nobody has actually mentioned any.

Yeah, but simply knowing it isn’t all that useful. You need to control it.

Do you not get spam calls on your phone? Phone numbers that are put into this site are likely to be valid & active, making them valuable data to sell.

From what I can tell, spam calls are mostly war dialing. Some of them are actually going sequentially, my spouse's number is about 400 away from mine, and sometimes she gets the same automated call minutes after me.

Well, from what I can tell, older people are targeted at far high rate. Age seems to be a valued input to the process. I can guess a number of reasons for that.

Does anyone under 50 pick up the phone if they don't know the number that's calling?

Sure. Ever gotten a call from a delivery person with food? A doctor’s office with test results? A hair salon confirming an appointment? A teammate with an emergency at work? A taxi driver with the wallet you forgot? A distant relative that needs help? A potential customer referred by a friend?

Food I’m expecting, so I pick up. Usually my phone actually tells me it’s DoorDash calling, which is nice.

Just about all the others get to go to voicemail and I’ll read the vm messages at my leisure as my phone transcribes them for me.

My parents (over 70) get so many spam calls on their land line it’s comical. Last time I visited them the calls would come two or three per hour, nonstop, day and night. They would leave the phone off the hook at night so it wouldn’t disturb their sleep. It gets worse every decade. Answered a few of them and it was always the usual suspects: the IRS, Microsoft tech support, your credit card company, vacation winner, etc.

Best thing they ever did was cancel their (at least) 50 year old phone number.

When searching for a job is the best example. Though these are usually not hidden numbers and for me, if a mobile is calling it's either a wrong number or work related. Spam seems to always a landline.

In North America, all phones, landline or cell, have the same number format: 1 (222) 345-6789, where 222 is the area code.

Oh that's interesting, here in Australia mobile numbers are always 04xx xxx xxx (though according to wikipedia, 5 is also valid but i've not seen it)

Most people I know over 50 don't answer unknown numbers either.

But it's the same as spam... getting one victim out of a hundred thousand is probably enough to make it pay off.

Only when I'm on call.


In my area code pretty much all the numbers are in use. You don't need to compile a database to spam random people. Just dial any 7 numbers.

So I'm curious. I live in Japan and have a Japanese number. I have a USA number via Google Fi. I get several spam calls on the USA number but zero on the Japan number.

Any idea why? It it just luck? It is scammers don't target Japan? Is it some technical difference that makes it harder/impossible/costly in Japan? Is it an enforcement issue?

Also what happened / is happening with https://en.wikipedia.org/wiki/STIR/SHAKEN ? Will it solve the issue?

A quick look at my voip carrier says calls to us are 1 cent, and calls to Japan land lines are about 2.5 cents, and Japan mobile is 10 cents. They've generally got pretty good pricing; with volume you can get better, but this is a good place to start. So call cost is going to be a lot more.

Then you've got to find voice talent. You can find English voice talent all over the globe, Japanese voice talent is harder to find and probably costs more.

STIR/SHAKEN will likely help somewhat. It should make it easier to track down accounts of callers, but we'll have to see if enforcement becomes effective, or if actionable complaints make enough of a difference. I don't think telephone companies regular record enough metadata for effective enforcement at the moment, and there isn't a reasonable way to report abuse, so most people just shrug and pick up less calls; we really need a useful reporting mechanism (dial * something after you get a spam call should work IMHO; but that's not me doing the work to correlate reports and what not)

I haver never given my number out yet get 5+ spam calls a day. Can't be stopped.

If you're on the "facebooked" list your number is already disclosed and correlated to you and your email address - inputting it onto a website to see if it's one of the compromised will have absolutely no effect.

But if you aren't in the data you are now giving away information.

I received 10 spam calls in 3 hours yesterday from "Chase Bank" about verifying a purchase in Ohio. All came from my area code and matched the same 3 digits of my phone number. I sometimes receive spam calls but never more than one or two in an afternoon. I was wondering what changed recently or how I got onto a new list.

Now I realize, two days ago I used this website.

Has anyone else had a similar experience? I am not assigning blame here but pointing out a coincidence. It would be great to hear if others going through the same thing.

Perhaps it’s just been long enough for the original breach to take root in a twilioml app?

I should have mentioned in the original post, my number was not disclosed in the breach.

In the case it isn't, it is exposed to the haveibeenfacebooked page afterwards you asked them if it is exposed

The data doesn't contain an IP address which technically this website could gather.

This post is ridiculous. Why does this crap keep making it to the front page?

Crap often makes it to the front page. If the immune system (flags and moderation) functions correctly, it doesn't remain there for long.

I'm not saying this article is crap -- just that if it is, you probably just happened to see it before the white blood cells kicked in.

Well, it’s sending a sha256 for your phone number, how is this not good enough? How you would expect to check the number in the database without hashing or passing it clear?

There are better ways, that involve more computation on the client side.

For example, HIBP does not send your password (or its complete hash) to the backend in order to find if it has been previously exposed. They use this method: https://blog.cloudflare.com/validating-leaked-passwords-with...

So, the main point of this article to avoid that site, is that they could google SHA256 for a known simple number, namely "11111111111" and boom!, this way the site programmer would reverse back to know your number?

If that's the case I suggest he would google Bitcoin's SHA256 numbers too. Heck, at ~55k USD per bitcoin, he would become, literally, multimillionaire overnight. What a buffoon! And it hit HN top as well, pfff.

> this way the site programmer would reverse back to know your number?

Author here, and yes that is what I claim. This is actually crypto 101 stuff!

1.) Pre computing SHA256 of a small set of numbers (1111111111 - 9999999999) takes only a couple minutes on your average laptop. That is how people find the preimage (password) of leaked password hashes! More sophisticated techniques use rainbow tables etc.

2.) The preimages of Bitcoins, github commits and file hashes have much more entropy to be able to brute force them. Hence, I will not be able to (with todays computing power) find a pre-image of Bitcoin's SHA256 etc. and sadly not become a millionaire overnight :(

3.) Not related to this but hashing functions do get 'weaker' over time as computing power increases. We don't use MD5 anymore for a reason. SHA1 has attacks now (https://shattered.io/). This is why git to move to SHA256 (https://lwn.net/Articles/811068/). n number of years from now, there will be collision attacks on SHA256 as well, at which point we'll have to move to a better, stronger hash!

If you think that hashing 9 billion numbers takes only a few minutes on a laptop you must have a laptop from Star Trek.

I'm more annoyed with the security community making it so hard to get access to the raw leak. There's a weird elitist attitude of "only we can handle the data" even though every black and white hat in the world already grabbed it.

The two sites seem to have different sources, however - HIBP claims neither my email nor my phone number were involved in the FB leak, while the "Facebooked" site correctly identified that my number was tied to my name and other pieces of information.

What of this version, which sends 99 random numbers along with your real number?


A safer way: just download the dump for yourself and Ctrl-F your number.

An even safer way: Look at your phone log. If you haven’t received 25 spam calls in the past week, your number probably isn’t in the list.

I just counted and I only had 16 so I must be safe. The amount of spam calls I get is staggering.

I got more than 25 spam calls per week before this leak. Apparently the warranty on my 1993 vintage vehicle is about to expire.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact