so the leak isn't a leak but a database of numbers they scraped together
> To prevent personal data leaks, regular users should adopt common data security practices. This includes using a high-quality VPN and getting a reliable antivirus program. And since the shopping holidays are close, you can already find great market-leading NordVPN Black Friday and TotalAV deals.
I like that this article doesn't mention the county that is likely most affected: India.
> More than 32 million of the leaked records are said to be from users in the US, with 11 million from UK users. Other affected nations include Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), Turkey (20 million), and Russia (10 million).
Are there any other data associated with the number, other than the country and whether it has a WhatsApp account?
You can check if a given number is on WhatsApp easily, and associate the country based on the phone format itself. Make this for all possible phone numbers (big number, but not impossibly big) and you will have a "leak".
Edit: having a list of WhatsApp users already generated for you is easier than checking yourself, so this is more of a "commodity database" rather than a leak.
I guess this would be the same as testing randomly millions of email addresses for whether they bounce back or not, and sell this knowledge database.
Mostly blocked when you not in the phone book of the user.
Thats not a leak, it's just a database of public accessible data. I would say, someone needs a headline, thats all.
Ob the prize of this databases you see that they are worth nothing.
Not completely true; while you don't have to accept messages for them to show up in your conversation list, when you receive the first message from someone not in your contact list you get the option to choose between "report", "block" and "continue".
That's false. Once again there is no "accept" or "continue" button. If you initiate a conversation and couldn't see the profile picture until they replied back it's because you weren't on their contact list and they added you to their contact list using the "add" button.
“ 2. Only Verified Whatsapp Numbers - Country Wise ( This is to cover all the mobile subscribers exhaustively . We generate mobile numbers based teh series allocated for the telecom operators in each countries and then verify / validate those numbers with the Whatsapp Servers )”
general tendency in HN is Telegram bad, Signal/WhatsApp is good. Even small mistake made by Telegram will be judged harshly, when it comes to WhatsApp, their mistakes are not important.
Yes I am a Telegram fanboy (how can you not like such a beautiful/fast app, in the Electron world where everything takes 10s of seconds to load)
WhatsApp chats are end-to-end encrypted (even their iCloud backups are). Telegram group messages are always plaintext / available to Telegram, and Telegram 1:1 direct messages are plaintext by default.
Yet they hold the encryption keys to decrypt your chats on the fly. What inspires so much trust in Meta? Especially in a company with "targeted advertisements" as its business?
I wonder what percent of "hacks" are from insiders, or from inside information/credentials given to outsiders. With the huge number of people involved in these companies, there has to be some percentage of illicit leaking going on.
So... what advise is there for technology comfortable people who want to mitigate the effects of data leaks like these? It seems like data provided is will be exposed eventually and company size doesn't seem correlate with data safety.
For example should people be advised to rotate phone numbers every N amount of time?
The basic stuff helps a decent amount. Assume your name, phone, email, address are all public. Don't reuse passwords, ever (use a password manager), use 2fa wherever possible, ideally not the SMS kind. Use a password manager that has a tie-in with haveibeenpwned or whatever so you know asap to change your creds.
Some extras: use unique email addresses per site if you can. Some setups allow infinite aliases. Then you can blackhole one that gets leaked, and you can know where it got leaked from.
If you can, have a separate setup (completely separate email account(s), not just aliases, and even separate hardware to access them if you can) for very important accounts, the ones that would ~ruin your life for a good bit if they got taken over (bank, retirement, etc.)
There's also credit monitoring type stuff, which I've never been clear how useful it is, but might be worthwhile. You also may get it free if some company you use has a leak and they try to PR it away that way.
I think there's some way to basically lock your credit against new accounts, I need to look into that someday, don't know the details or if it even exists.
Assume your name, phone, email, address are all public.
Someone on HN will invariably point out that this is how it was for the last hundred years, and it was only when we made computers powerful enough to abuse the information that this level of privacy became a concern.
I remember the days when your name, address, and phone number were public information. I paid something like $15/month to keep it out of the phone book.
What I recently learned, browsing through old books that a local library was throwing away, is that sometimes those phone book listings would also include things like a woman's maiden name, and the name of her husband, and/or marital status. Something like:
Smith, Margaret C (nee Jones, widow of George): 202-555-1212
To be honest, that's close to how it should be in an ideal world. But US companies went down the obviously-moronic path of treating social security numbers as passwords and now we're stuck.
Eventually the bulk of the world will probably end up with some sort of government-managed crypto-ID, but it's sure going to take the US a long time to get there.
I live in Norway, which has a similar system, so I can’t answer for op, but the answer here is, no. Your “social security number” is not ever used as a password or other form of presumably secret key. While you probably don’t go blabbing it everywhere, there’s not much you can do if you know mine. You would also have to physically steal my phone and also learn my secret pin, or break into my fire safe in order to successfully use my personal number for anything. Address and phone number are the same thing, that’s just where you mail things to, it’s not used as a secret key.
I live in France and while we do not have public records (or just a very few), we do not have identifiers that can be easily used to do something nefarious. Our social security number, or the tax one is not used anywhere as a secure identifier (as opposed to, say, US with their SS# that is tragically comical).
We do like secrecy, though, and opening up the tax reports and addresses would be a 12 on the Richter scale of earthquakes. I do not know whether that would be good or bad but it would lead to all sorts of social unrest.
No, instead they use this radical method called actually identifying the person they're about to give a bunch of cash to instead of trying to pretend a username is a password.
>Some extras: use unique email addresses per site if you can. Some setups allow infinite aliases. Then you can blackhole one that gets leaked, and you can know where it got leaked from.
If you pay for ProtonMail, you get a SimpleLogin Premium for free, which makes the creation of dummy/alias emails a lot easier. They're owned by the same company.
I've been using alias addresses since forever, though with Tutanota, not Proton (due to cost & nice app). It's great when you can simply deactivate an address and the spam stops coming.
That sounds nice. I use bitwarden's "plus addressed email" generator I think it's called, the downside being that I need to specifically blackhole anything that bypasses the plus-addressing, or it'd be easy for anyone that actually looks to bypass.
There still is the chance that some spammer will figure out that "blah+any-random-string" works for my email, but I'll deal with that if someone bothers someday. I'd just need to add an allow-list or something probably.
Yeah definitely; the "+" alias is built in to most emails (like, it works on Google/Proton at least). I'm more just saying that if you pay for ProtonMail (and therefore care about privacy more than the average person) you get another service for free that doesn't expose your "real" email if someone cared to look.
Someone can look at joe+spam@joeschmo.com and figure out Joe's "real" email address. Something like SimpleLogin (sorry, not a shill for them, I swear) gives you a completely new email/domain (and lets you set up your OWN domains), which then forwards to your proper inbox.
Yeah it's definitely a better pattern, I hope more companies create something like it. I think I heard Apple is doing something similar maybe? I seem to recall Fastmail has one too, pretty sure I saw it in the bitwarden settings last I went in there.
Apple does this with email forwarding aliases on your phone; I can sign up using a generated Apple relay, which then pushes to your main email. I don't like it that much, mostly because you're still kind of locking into the Apple ecosystem, though.
The advise is to do literally nothing about it. What effect do you think this specific leak has on you? What kind of adversary do you think will be able to benefit from this data, and how?
The reality is that the data is useless trash, and there is no indication that this has actually leaked from Facebook or is showing any kind of security problem in their systems.
That remains to be seen. People are fairly ingenious when it comes to abusing information and information runs the world now. I will offer an unrelated example, partially because I do not want to give ideas on how to benefit from this. Do you remember when certain entrepreneurial billionaire offered a checkmark for sale, which resulted in people impersonating companies and manipulating their stock price[1]?
Like with most things, any tool is worth what one is able to do with it.
<< The advise is to do literally nothing about it.
I would not advise to panic, but doing nothing is not exactly great advice either. Some re-assessment of one's current security posture may be warranted.
> Like with most things, any tool is worth what one is able to do with it.
Yes, and given an attacker will not get new capabilities from this data, it is worth nothing.
Any attack that could be feasibly run with a list of nothing but phone numbers associated with some (unknown) WhatsApp account could be done without that list just as easily. That's because of two things: a) phone numbers within a given country are easy to enumerate, b) the WhatsApp account space is dense, i.e. the odds of any legit phone number being used for WhatsApp is high.
> I would not advise to panic, but doing nothing is not exactly great advice either. Some re-assessment of one's current security posture may be warranted.
If you can't formulate a realistic threat from this data, how can you possibly re-evalate your security posture in light of it? You need a threat model for that. Pondering about the security of one's digital life can of course be worthwhile in general, but advising anyone to do so in the context of this linkbait is just advising them to waste their time.
In your Twitter example, the impersonation did not come as a surprise. People were predicting that outcome within minutes of Musk announcing it. Can you make a prediction about what bad things will happen to the people whose phone number is in this dump, compared to people whose phone number isn't there?
<< If you can't formulate a realistic threat from this data, how can you possibly re-evalate your security posture in light of it?
You do have a point and it is possible I misunderstood the 'value proposition' from this data set.
From the forum referenced in the article:
"Name / Whatsapp Number - Country Wise "
What I see in that post is name field ( or potentially just a number ) and country field. If I was a person buying it, the main benefit would be "being able to reach a seemingly random ( unless it is separately checked against some other available list/s ) individual in a desired geographic location". As you correctly assessed, by itself it is not a terrible security threat.
<< Can you make a prediction about what bad things will happen to the people whose phone number is in this dump, compared to people whose phone number isn't there?
Yes ( although admittedly, mostly because "bad things" is sufficiently generic to allow for it and I already admitted I think you are right on the security aspect ).
Fraud-wise this is a perfectly sufficient set of information ( current valid numbers likely corresponding with real phone numbers ) as those tend to be number games anyway ( one out of how many answers a spam email type of deal ). In that area, the most common scam lately is grandson scam[1] or romance scam[2]( those having extra benefit of less likely being reported even if others point it out to the victim ). Seniors do seem to use Whatsapp in the old country partially due to price and reliability ( dunno how common it is in US though ) so they fit that target demographic, but that assumes fraudster can reliably identify a victim set of seniors ( or burn existing set with a more generic pitch ). For non-seniors, crypto scams seemed very common lately ( and how many people just click yes, when an invitation pops up ) although recent crash likely made it less desirable.
In other words, I think you are right about not doing anything specific security-wise, but it may be worthwhile talking with your social circle if they use Whatsapp since they may now see an increase in unsolicited calls/messages/invites and benefit from a conversation about about safety online in general.
People should be advised to not use phone numbers at all.
There was a joke "all phone numbers leaked" list that just listed everything from 000-000-0000 to 999-999-9999. If there is no other information associated (names, pictures, emails, anything) then this leak is of almost comparable severity.
There's an important difference between people being able to do inefficient paper-based one-off `SELECT ... LIMIT 1` queries when needed and the entire world being able to find new and exciting ways to search, join and mix data at great speed—the latter tends to enable new and exciting ways for the data to be used both for commercial gain, criminal purposes, and abusive trolling. (See: the history of internet harassment for the last 20 years.)
Pointing out that we used to put all the phone numbers in a book published by the phone company and now we don't is historically true but practically unimportant, just as "hey, sorry to hear your house got broken into, but you know, people in IDYLLIC_RURAL_HAMLET don't even lock their front doors like you BIG_CITY folks do" isn't useful unless giving up living and working in BIG_CITY and moving to IDYLLIC_RURAL_HAMLET is actually a practical option, which most likely it isn't (and if that were to happen en masse, IDYLLIC_RURAL_HAMLET would suddenly find they'd also need to lock their front doors if their population increased by a factor or two).
Who could have predicted that technological change might lead to shifts in social attitudes? Or, indeed, that the rules, principles and institutions we collectively create to make society bearable have to adapt to said changes?
Not using WhatsApp isn't going to magically secure your details online.
As per GP's point, most services eventually seem to leak data, so it may as well be saying "Don't go online".
Compare that to the alternate response which provides solid actionable advice for how to limit exposure when these services ultimately leak your data, and you can see why that post was downvoted to oblivion.
Signal uses (or used?) SGX for remote attestation, which presumably lets the client verify that the code running on the server is a build of the OSS code and not a modified version. But I don't know the details or if this is reliable.
It should be possible to independently verify Signal's attestation, but I don't know if anyone has done it. Before you go and say "what's even the point then", the point is that this gives Signal plausible deniability for when the TLAs show up asking for user info.
I wonder, how could one use SGX for remote attestation when they didn't publish the source code for more than a year just to get their insiders' knowledge cryptocoin deployed.
If it's open source and has a reproducible build, then you can audit the codebase, compute the hash, then verify an attestation from the secure enclave that the code is running in.
In the case of the above, you're not trusting the server, you're only trusting the CPU manufacturer. Attestation happens within the secure enclave inside the CPU, at which point having physical access to the machine doesn't (well, shouldn't, if it's correctly implemented) give you any insight into what code it's running or what data it's operating upon.
How can you know which CPU is running?
Also, the software could easily change the output of the security chip (secure enclave is only on apple devices).
Part of the attestation process involves receiving a cryptographic signature from the CPU vendor. They can only fake it if they break the cryptography. And enclaves (or "trusted execution environments") aren't only on Apple chips, AMD and Intel have their own implementations.
Someone just enumerated numbers via scraping -- seems like this only would have marginal value for spammers and maybe as a check if whatsapp was used by a given number.
I have ran into several crypto groups adding me to their group. I was not the only one. Several people were in this category who would be added randomly. They would eventually leave. And then another set of people would be added. I always wondered how they got my and people’s numbers.
I believe india requires their whatsapp services to be segmented in countryand backdoors to data -- they have a bunch of laws like this regarding communications all the way up to sat phones.
I mean, all this data provides is phone numbers that have been used (at least once) in whatsapp and this is publicly available via apis and simple scraping.
I am not surprised (or "shocked"). Despite the privacy snafus, it still remains ingrained in the user's habits. Unless the company crashes and burns, I don't see the end of the road for WhatsApp.
>To prevent personal data leaks, regular users should adopt common data security practices. This includes using a high-quality VPN and getting a reliable antivirus program. And since the shopping holidays are close, you can already find great market-leading NordVPN Black Friday and TotalAV deals.
What a disgusting site... Adding this blurb to a "news" article with "security measures" that do absolutely nothing against phone number scraping just to get those affilliate clicks...
Thats just public data. You can check for every phone number if there is a Whatsapp account connected with it, there is no leak. Everyone know this, this databases are worth nothing, and the prizes are really low, as you see.
> To prevent personal data leaks, regular users should adopt common data security practices. This includes using a high-quality VPN and getting a reliable antivirus program. And since the shopping holidays are close, you can already find great market-leading NordVPN Black Friday and TotalAV deals.
this post is basically spam.