Following the release of the 533 million phone numbers (acquired through the 2019 Facebook vulnerability), we wanted to bring awareness to the security & privacy implications of a public worldwide mobile phonebook.
You can check yourself, your family, friends and colleagues and inform them.
Disclaimer: we do not display (or even store) the phone numbers, we only show the last 2 digits so you can confirm it's yours.
Happy to answer related security and privacy questions.
It would be useful to have a search results when names aren't unique. I share my name with a famous author (not a sci-fi author, but somehow he went back in time to steal my name before I was born), but I'm not going to click through all of them to see which one is me.
On the plus side, I'm liking my good choice of having a non-unique name right about now.
Without being able to search by my unique identifier (i.e. my profile is facebook.com/IDENTIFER) because there are more than ten people with my name this tool is useless. Shame.
I've gotten somewhat hit or miss with finding my profile_id via the inspect element in FireFox, and then just appending it onto the end of the url.
However, I'm not sure if it's because my account was created at end of June 2019 that it didn't return anything, or if it didn't work. (it worked when I pulled up a couple of the big name user's id's and compared to the breach.
I see a lot of people saying that this is from 2019. In a sophomore in college right now most of my friends created accounts in early high school - well before 2019, yet none of us have found any of our information. The only explanation I’ve got so far is it may have been limited to those over 18 when the data was scraped - most of my friends would have been 17 then. Any other ideas?
Data on every user was not leaked. IIRC it was only (heh) some ~500M records.
I've been on FB since 2004, and my data was not in the breach. Stuff like this reminds me that I still need to scrub my profile. I really just want to keep the account open so I can receive event invitations.
Unlike other similar (and often suspicious) websites:
- you do not enter your phone number (or email). You just search yourself (or your close ones) by name, the same way you would Google or Facebook yourself or your friends.
- even if that shouldn't be the only trust signal, we (the folks at NextDNS) work around security and privacy every day for the benefits of the users. And while we are still a startup, we are used by many, including experts in the security industry.
Why should I trust haveibeenpwned either?
I know the reputation of the owner of that site, but how is it really different?
Is the resource publicly verifiable ?
Its just implicit trust we have on the site.
Away from HN echo chamber, a regular user can't differentiate various websites.
Calling it stupid is a bit too much.
That is fine, what I meant is scammers will use this opportunity to grab more data from you under the guise of you checking to see if you old details are present or not & end up giving new PII as well
I don’t want to come off as a Facebook apologist, but are there any privacy implications in being part of this breach, if you are already listed in the phone book?
It's targeted phishing. In my country at least, it's hard to get a decent mass list of names/number pairs so the scammers rely on very dumb approaches which can be automated for lead generation, like robo dialling with recorded messages - "hello... <pause> I've been informed you have been in a car accident" and the speech recognition before putting a live agent on the call. Now with this super clean list they can do some automated profile building in advance and prepare the message - "Hello Mark... <pause> ...I've been informed you would like to have lunch with a senator".
Also a lot of data brokers that provide spam lists like Lusha, LeadIQ, RocketReach will use this to enhance their databases. The profile on you they scraped from LinkedIn will now include your private phone number etc. All highly illegal in the EU but enforcement is lax and they hide offshore in the USA etc.
That is true, but I really wasn’t able to get from the article what exactly someone could do with just my name and number beyond calling me while knowing my name in an attempt to scam me.
Readit News
You can check yourself, your family, friends and colleagues and inform them.
Disclaimer: we do not display (or even store) the phone numbers, we only show the last 2 digits so you can confirm it's yours.
Happy to answer related security and privacy questions.
---
A few Persons of Interest:
Mark Zuckerberg https://facebookbreach.com/4
Didier Reynders (EU Privacy Chief) https://facebookbreach.com/100011885742964
Emmanuel Macron (President of France) https://facebookbreach.com/100026099615243
Xavier Bettel (Prime Minister of Luxembourg) https://facebookbreach.com/901110787
On the plus side, I'm liking my good choice of having a non-unique name right about now.
However, I'm not sure if it's because my account was created at end of June 2019 that it didn't return anything, or if it didn't work. (it worked when I pulled up a couple of the big name user's id's and compared to the breach.
I've been on FB since 2004, and my data was not in the breach. Stuff like this reminds me that I still need to scrub my profile. I really just want to keep the account open so I can receive event invitations.
Deleted Comment
- you do not enter your phone number (or email). You just search yourself (or your close ones) by name, the same way you would Google or Facebook yourself or your friends.
- even if that shouldn't be the only trust signal, we (the folks at NextDNS) work around security and privacy every day for the benefits of the users. And while we are still a startup, we are used by many, including experts in the security industry.
Why? Troy is monetising as everyone else.
We try to shine a light on the implications of this on the website itself (you may need to scroll down a bit).
Short term, just being aware of it should make things better, as there is going to be a massive surge in phishing and other types of attacks.