A note for people with US numbers who aren't finding their info:
> And finally, one last note on the data load process: At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading. The other codes are in progress and may take several hours more before they're searchable.
US numbers begin with international code 1, and it seems that they aren't yet searchable.
I was surprised that mine hadn't come up, since I've had a few Facebook accounts over the years with my phone number, and this explains it.
Yeah these companies that rely on user data will NEVER delete your data once you submit it to them (regardless if they say your data is deleted or account closed). For company like FB you are the product.
My experience is completely opposite to yours. I have a facebook account, phone number added and verified, profile privacy set to "friends only", but I can't find myself in the leaks.
My understanding of the dump is that it was scraped, thus it's non exhaustive by nature. There's only half a billion accounts in it after all, and Facebook has far more.
My understanding is that all numbers in the dump correspond with Facebook accounts, so this shouldn't be the reason.
Another option would be that someone else has that number listed for their account. Has Facebook always required confirmation that a number is valid? I saw one my friends' numbers in the data except the account had a different name.
Every time Facebook/Gmail/Google/Amazon/LinkedIn/Tinder/whoever asks me to give them phone number "just in case" my first and only thought is "hell no". I haven't been wrong a single time.
Let's not forget the notable case of Twitter "accidentally" using your provided phone number for advertising purposes [0], and to this day still banning you after registration if you refuse to give it.
Twitter also had staff who leaked Twitter account PII from the Twitter DB to spies from the Saudi government, who have a habit of killing journalists from time to time.
Twitter is especially silly in that regard. The info page on why my account was banned implied that one of my tweets violated the community guidelines - although I never tweeted anything.
Even more frustratingly, there is a form to appeal a ban. After filling out that form, I got a confirmation mail stating that Twitter will "respond as soon as possible", or in other words, never.
I do not understand why they bothered to implement all that hijinks to waste my time. Simply disallowing signups without phone number would have been much simpler and less dishonest.
Sadly, many companies now require a phone number to use their services. For example: Signal, Telegram, Whatsapp, social networks like Instagram and Vk. They don't like anonymous users. For some users, Google requires a phone number to sign up. Twitter requires a phone number if they see something "suspicious" in user's behaviour.
Not to mention whatsapp is actually broken. It's bound to your phone number and can't change it. If you change SIM, your account is wiped.
AND the worst: your contacts are not notified so if they send a message to the old number, it will just silently fail.
Absolutely horrible. I never understood how whatsapp could be phone-number bound and not account bound like everything else out there.
I've been using a MySudo phone number to use for signups when I'm forced to give out one. Has reduced the noise i get in my messages for my real number
It's crazy the a phone number is a secret. The problem isn't having the phone numbers; it's all the terrible systems that only work if phone numbers are secret.
Phone numbers are not secret. These service ask for it mostly to be sure to get the right one (checking is expensive) and/or to have plausible deniability of your contentment when they abuse it later.
> "One last note on the data load process: At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 9 have completed loading. The other codes are in progress and may take several hours more before they're searchable."
Thanks, because the end of the blog post mentions 8 instead of 9:
> At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading. The other codes are in progress and may take several hours more before they're searchable.
One other attack vector with this data that I've not seen much chatter about is that the phone numbers (and other leaked data) are sufficient to create a Facebook Custom Audience and directly target the associated people with ads. Cross referencing these numbers (or pivot through names) with any external data source and you've got the capability to target specific voters, for example. Facebook made a lot of changes [eventually] to their Custom Audience abilities via user ID as a result of the Cambridge Analytica scandal, this leak makes it not too dissimilar in terms of how you could at least segment and direct target ads.
Getting to the point where we’re going to need phone, email, and SMS to be deny all by default. Can’t reach me unless you’re information is already in my contacts.
My phone number (and some other details) were part of Nano Ledger's database that got stolen last year. So, some entrepreneurial scammer started calling me on a daily basis a few months ago. Really annoying. I'm well aware my phone number and email addresses are pretty much public information at this point. I actually put that on my web site even. But stuff like this makes me even less likely to answer unknown numbers. Hilariously, the scammer actually called me while I was giving a security briefing to our company about enabling 2FA. I put him on speaker and we had a good laugh while the guy insisted in broken English laced with expletives that he "had my money".
A few months ago some criminals social engineered themselves past my bank's security as well. The first I learned about this was a funny conversation (by phone!) from an actual Deutsche Bank employee asking me if I recently changed my address and phone number and whether I opened ten new accounts. "eh no?!..." Basically their fraud detection system kicked in before these people did any damage. I made a point of not doing anything else than confirming information they already knew (like my old address, email address) and asked for an on site meeting to discuss things in more detail. I realized instantly I had no way of verifying anything I was being told on the phone and might very well be talking to a scammer. As it turns out this was for real and the person actually managed to find my "old phone number" in some archive. Otherwise all my contact information had already been changed by the scammers. Thankfully I answered that call. Apparently, this happened to several people.
Basically, what happened was some persons just called the bank's help desk, asked them to reset my online banking access codes, and then somehow intercepted the pin codes (thanks Deutsche Post) before they reached me. The theory is that somehow the security of the distribution system was compromised. As far as I an tell, nobody broke into my building or mailbox. Then started they using them to change my address, etc. They got caught only when they created sub accounts and started transferring money.
I've been called twice by my bank to warn me of possible fraudulent activity. Both times I hung up on them and called back at the bank's own public customer service line and asked them if that was really them calling. Once it was and once it was not, so I'm glad I was that careful.
Possibly, but we can't do that either. What we need is some balance of both worlds. OOH, we do actually need to be contactable. OTOH, being too contactable means spam. I doubt there's a perfect balance, but either extreme come with too many problems.
Email has decent spam filtering, and I think that kind of cat-mouse system will persist. That said, there's "room" for more whitelisting.
"I doubt there's a perfect balance, but either extreme come with too many problems."
In principle, "pay me a small fee if you're not on my list, if I put you on my list now it's free" would work well (optionally refund someone who contacts you out of the blue that you approve of), but there's a lot of both engineering and social details between where we are now and such a system.
It doesn't take much cost friction to deter mass spamming. I don't think much problem would be left behind from the handful of overconfident spammers who think that they can bust the odds and it's worth 25 cents a message or something.
I found a novel solution by accident to this. I moved to a new area but kept my old number. 99% of my spam calls are from my phone’s area code. If you are not a contact and a number comes up from that area code, it is spam. If it is my new area code, it is a person or business trying to reach me.
As do I. This is a difficult problem to solve especially as the signal to noise becomes worse as abuse becomes more common.
Ive had to wildcard block my area code (since I don't live there anymore) which captures 95% of my daily spam calls - but people can still leave a message to break through my wall if it's truly urgent. I don't see how this could work with SMS.
Even message requests on facebook/messenger have problems where you are unlikely to even see the request unless you check regularly.
It's a hard problem to crack. Some legitimate places need to be able to call you without you knowing them ahead of time. Say your sibling was mugged in Mexico and the local little police station let them borrow the landline to call the only number they still remember without having to check their contacts in their phone. Are you not going to pick up?
There are a lot of these little edge-cases. Journalists, lawyers representing class action suits, government id expiring, and so on.
> Say your sibling was mugged in Mexico and the local little police station let them borrow the landline to call the only number they still remember without having to check their contacts in their phone. Are you not going to pick up?
Just wait for the deepfaked voice call scammers. Their best bet is to work up the hierarchy; a tiny local police station knows how to get in touch with a bigger police station that can contact an embassy, etc.
> There are a lot of these little edge-cases. Journalists, lawyers representing class action suits, government id expiring, and so on.
All of these use-cases allow someone to spend the time to contact you via your preferred contact method, whatever that might be.
I'm in my 30s and I can't think of a single time I have ever received a phone call that I didn't expect. I get several spam calls every day. I would make the trade (and recently have, I block all unknown numbers now).
My iPhone is set to "Silence Unknown Callers." It's the perfect compromise. If a call is legitimate they'll leave a voicemail and I just call them back.
Non-technical speculation, but based on my own experience as an ordinary Facebook user:
I'm increasingly confident that this breach/leak has come about mostly through the privacy search setting (buried in Facebook's privacy settings - https://www.facebook.com/settings?tab=privacy -) which allows "Everyone" to search for a number in order to find your profile if so enabled.
This is a bit like an option that PayID/Osko (instant bank transfers) in Australia allows - one could bash through random mobile numbers and discover more information than just the number. I've always found this option to be creepy because I don't people who might otherwise have my phone number legitimately to be able to facestalk me.
Please note that this is separate to displaying contact info publicly on one's profile page - yes, there is a dizzying array of different privacy settings on Facebook. Would Mark Zuckerberg provide have ever displayed his phone number publicly? I doubt it. But would he have allowed others who already have his phone number to search for him on Facebook? I'd say almost certainly yes.
I used to use Facebook more than I like to admit and I have provided my phone number to Facebook in the past, yet have managed to avoid being in this breach, whereas some people I know are in the data set. This means I'm quite sure that I'm not returning false negatives with the search.
Looking at the full breakdown [0], a bunch of middle eastern countries have near 100% breach. It seems like they were the target, and all the other countries were just collateral damage maybe? Canada, US, UK, all sitting around 10-20%.
After my wife's suicide (See the documentary Pain Warriors) I took over Karen's FB account as my own, and I changed the name on the account. Long before this breach I have been getting SMS Spam addressing me as Karen, on a number that did not exist when she was alive.
FB data can be the only possible source of that spam.
The spam is always trying to sell male enhancement products to 'Karen'. Anyone know how to stop this SMS spam crap?
Sorry for your loss. Right now I'm pretty happy that I scrubbed all information of my FB account months ago. If only people could stop using messenger so I could delete it.
But I have a similar, but unrelated to FB, problem in that every month I get an offer to work as a nurse in Norway from different agencies. I figured they scraped some "find the number"-site here in Sweden long ago and since my mothers name was on my bill I guess my number somehow came up under her name.
It's been annoying for years but since my mother had a some (non-corona) medical problems last year it has been downright infuriating at times. Anyone know how to make it stop when there is a bunch of different agencies messaging you?
Would you mind elaborating on how you "scrubbed" information from your fb account? It's been years since I closed my account but I know (e.g. see this article) this is not enough, so I consider reenabling it only to delete all my info, and then finally (?) deleting it.
I think it's pretty hard to stop incoming spam when the number itself has been made public.
The only options I know would be:
a. Play whack and mole, report the number to the authority in your country that handles this kind of spam activity.
b. Use some kind of mobile application that filter out the spam SMS. This one is kinda hit and miss, since the number data is coming from community reports, so some spam might pass the filter. And there might be some false positives from the spam filter.
I also would like to hear if there's alternative solution for this problem, other than changing the phone number itself.
My phone has an option called Do Not Disturb mode. I have set a schedule to turn it on everyday from 12AM to 11:59PM. What Do Not Disturb will do is block (silence the notification or ringer) every message or call from someone that is not in your phone book. While unfortunately you'll still get the spam SMS, but you wont get the alert.
The only way I can see striking back at these spam calls is to pick up the call and waste their time, because its expensive. Also if I pick up that means someone else is not getting scammed. I try to get as far along in the scam process as possible.
I enjoy the pixel line of phones having google assistant answer spam calls for me. Sometimes its fun to watch the conversation they attempt to have with the assistant.
At least here human operators apparently are paid for call duration and they will prolong the call up to 15 minutes and you don't need to say anything.
If you only mean "how not to be bothered" (instead of radical actual solutions of legal nature etc.), and the sender is a recurring number, very probably your phone OS has an option to reject calls and/or messages from specific numbers.
There was a spammer that bothered me, I blocked the number, and started receiving spam from adjacent ones (same number, just the last digit increasing by 1). Had to block 5-6 for them to go away.
Readit News
> And finally, one last note on the data load process: At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading. The other codes are in progress and may take several hours more before they're searchable.
US numbers begin with international code 1, and it seems that they aren't yet searchable.
I was surprised that mine hadn't come up, since I've had a few Facebook accounts over the years with my phone number, and this explains it.
For anybody getting a miss and wondering if they messed up the formatting, my US number is coming up now, formatted with a vanilla +1-123-456-7890.
Deleted Comment
Dead Comment
"What should I do if I think that my personal data protection rights haven’t been respected? "
https://ec.europa.eu/info/law/law-topic/data-protection/refo...
"European Data Protection Board Members"
https://edpb.europa.eu/about-edpb/board/members_en
Deleted Comment
Dead Comment
As I understand, deactivation is temporary, deletion erases all data.
But if people did delete their accounts and Facebook didn't erase the private data, aren't there consequences to this?
That's the problem, what we or regulators understand may well be very different to what actually happens
> aren't there consequences to this
A slap on the wrist at best, I'd bet my house on it
https://news.ycombinator.com/item?id=26708923
Another option would be that someone else has that number listed for their account. Has Facebook always required confirmation that a number is valid? I saw one my friends' numbers in the data except the account had a different name.
[0]. https://www.eff.org/deeplinks/2019/10/twitter-uninentionally...
https://www.buzzfeednews.com/article/alexkantrowitz/how-saud...
Collecting this data is an accident (or murder?) waiting to happen.
Even more frustratingly, there is a form to appeal a ban. After filling out that form, I got a confirmation mail stating that Twitter will "respond as soon as possible", or in other words, never.
I do not understand why they bothered to implement all that hijinks to waste my time. Simply disallowing signups without phone number would have been much simpler and less dishonest.
Lots of likes, no RTs or posts though.
https://mysudo.com
https://twitter.com/troyhunt/status/1379366099544797189
> At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading. The other codes are in progress and may take several hours more before they're searchable.
So I was like: what about another 8?
Edit: Actually, it is "4, 6, 7 and 8"! cf. https://twitter.com/troyhunt/status/1379377818618884098
A few months ago some criminals social engineered themselves past my bank's security as well. The first I learned about this was a funny conversation (by phone!) from an actual Deutsche Bank employee asking me if I recently changed my address and phone number and whether I opened ten new accounts. "eh no?!..." Basically their fraud detection system kicked in before these people did any damage. I made a point of not doing anything else than confirming information they already knew (like my old address, email address) and asked for an on site meeting to discuss things in more detail. I realized instantly I had no way of verifying anything I was being told on the phone and might very well be talking to a scammer. As it turns out this was for real and the person actually managed to find my "old phone number" in some archive. Otherwise all my contact information had already been changed by the scammers. Thankfully I answered that call. Apparently, this happened to several people.
Basically, what happened was some persons just called the bank's help desk, asked them to reset my online banking access codes, and then somehow intercepted the pin codes (thanks Deutsche Post) before they reached me. The theory is that somehow the security of the distribution system was compromised. As far as I an tell, nobody broke into my building or mailbox. Then started they using them to change my address, etc. They got caught only when they created sub accounts and started transferring money.
Email has decent spam filtering, and I think that kind of cat-mouse system will persist. That said, there's "room" for more whitelisting.
In principle, "pay me a small fee if you're not on my list, if I put you on my list now it's free" would work well (optionally refund someone who contacts you out of the blue that you approve of), but there's a lot of both engineering and social details between where we are now and such a system.
It doesn't take much cost friction to deter mass spamming. I don't think much problem would be left behind from the handful of overconfident spammers who think that they can bust the odds and it's worth 25 cents a message or something.
You could likely get a far off area coded number.
Ive had to wildcard block my area code (since I don't live there anymore) which captures 95% of my daily spam calls - but people can still leave a message to break through my wall if it's truly urgent. I don't see how this could work with SMS.
Even message requests on facebook/messenger have problems where you are unlikely to even see the request unless you check regularly.
There are a lot of these little edge-cases. Journalists, lawyers representing class action suits, government id expiring, and so on.
Just wait for the deepfaked voice call scammers. Their best bet is to work up the hierarchy; a tiny local police station knows how to get in touch with a bigger police station that can contact an embassy, etc.
> There are a lot of these little edge-cases. Journalists, lawyers representing class action suits, government id expiring, and so on.
All of these use-cases allow someone to spend the time to contact you via your preferred contact method, whatever that might be.
I'm increasingly confident that this breach/leak has come about mostly through the privacy search setting (buried in Facebook's privacy settings - https://www.facebook.com/settings?tab=privacy -) which allows "Everyone" to search for a number in order to find your profile if so enabled.
This is a bit like an option that PayID/Osko (instant bank transfers) in Australia allows - one could bash through random mobile numbers and discover more information than just the number. I've always found this option to be creepy because I don't people who might otherwise have my phone number legitimately to be able to facestalk me.
Please note that this is separate to displaying contact info publicly on one's profile page - yes, there is a dizzying array of different privacy settings on Facebook. Would Mark Zuckerberg provide have ever displayed his phone number publicly? I doubt it. But would he have allowed others who already have his phone number to search for him on Facebook? I'd say almost certainly yes.
I used to use Facebook more than I like to admit and I have provided my phone number to Facebook in the past, yet have managed to avoid being in this breach, whereas some people I know are in the data set. This means I'm quite sure that I'm not returning false negatives with the search.
[0] https://datastudio.google.com/u/0/reporting/afa08373-621e-4e...
FB data can be the only possible source of that spam.
The spam is always trying to sell male enhancement products to 'Karen'. Anyone know how to stop this SMS spam crap?
But I have a similar, but unrelated to FB, problem in that every month I get an offer to work as a nurse in Norway from different agencies. I figured they scraped some "find the number"-site here in Sweden long ago and since my mothers name was on my bill I guess my number somehow came up under her name.
It's been annoying for years but since my mother had a some (non-corona) medical problems last year it has been downright infuriating at times. Anyone know how to make it stop when there is a bunch of different agencies messaging you?
I think it's pretty hard to stop incoming spam when the number itself has been made public.
The only options I know would be: a. Play whack and mole, report the number to the authority in your country that handles this kind of spam activity. b. Use some kind of mobile application that filter out the spam SMS. This one is kinda hit and miss, since the number data is coming from community reports, so some spam might pass the filter. And there might be some false positives from the spam filter.
I also would like to hear if there's alternative solution for this problem, other than changing the phone number itself.
The only way I can see striking back at these spam calls is to pick up the call and waste their time, because its expensive. Also if I pick up that means someone else is not getting scammed. I try to get as far along in the scam process as possible.
It's not perfect, but it has had an impact on the amount of spam I receive.