Facebook: "This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers."
Not that "old." Some of those "update" dates are just a few days ago.
Yep. As far as I’m accustomed most people do whatever they can to maintain their phone numbers even across services. So much so that it’s law in Canada a provider can’t lock in your number and must let you take it with you to another provider.
I love how they used to pretend that their response to regulatory pressures was in fact a new product/feature offered by them. For instance, allowing me to keep my phone # was phrased in a way that would make me think that EE/O2/... let me do that for free, yay. Same applies to the EU regulations dealing with lowering roaming charges—the carrier I used at that time even developed branding for it. It’s a bit damaging given how little UK citizens know about EU.
It's actually a terrible system though. It relies on the original issuer of the number maintaining essentially a "proxy" to your new provider. So if I transferred from o2 -> EE, and o2 had network issues, it's possible (and has happened to me personally) that I am affected even though I have left o2. I think also calls are actually physically routed through the original network. Lots of weird things can happen like texts from certain networks never arriving.
I had to get a new number when I discovered my NZ family could receive my texts but their replies never arrived at my end.
I've been switching back and forth between two providers for the last 5 years, and I've always wondered now that I'm back to my first provider if calls/texts to me go directly to A, or go A->B->A->B->A.
Should just go straight to A. The way the numbers work is that the prefixes are assigned to various operators. When you transfer, the "owning" operator forwards calls on to the target operator. If you returned presumably the forwarding is removed.
(From [0]): "One of the very few countries not to use ACQ/CDB is the UK, where once a number has been ported, calls to that number are still routed via the donor network. This is also known as "indirect routing" and is highly inefficient as it is wasteful of transmission and switching capacity."
And
"Because of its donor dependent nature, indirect routing also means that if the donor network develops a fault or goes out of business, the customers who have ported numbers out of that network will lose incoming calls to their numbers."
The handset initiates it by sending an SMS to a shortcode.
Shortcodes are phonenumbers that are carrier-specific e.g. the three digit code that you use to access your voicemail etc.
The phone company knows the identity of the calling handset when it gets the text message with a high degree of certainty, as the handset is directly connected to its network.
So the person doing the transfer has to be in procession of the phone, or able to spoof or clone the phone.
The specific UK mechanism that is the subject of this subthread was introduced in July; it's not what your wikipedia link describes (social engineering to get a number ported).
I'm also in the UK, I've had the same phone number for at least a decade. It has been easy to carry your phone number to a new provider for as long as I can remember.
You just contact your existing provider, tell them you wish to leave and need the PAC code. After they beg to stay and throw you a sweetheart deal. They'll send it via text or post.
you have been ABLE to do that for as long as I can remember (I've kept the same number since 2005 now on all the major networks. I only didn't keep my number prior to that because it was a work provided contract) but depending on which you were dealing with would put up a number of different obstacles when you contact them to make the process as painful as possible (to keep you as a customer... THREE I'm looking at you!)
so the new automated SMS process introduced in July is a welcome addition
Good to know it's a law. I was discussing this yesterday as being easy and frequent to port over number between providers. Do you know if providers are allowed to charge a fee for the transfer?
No, but if you were on a contract they can charge you the device cost prorated to how much time was left on your contract. And the new carrier can charge a setup or admin fee, though most carriers don’t for competitive reasons, or they call it a SIM card fee and waive it if you activate via eSIM. All the fine print in Plain English: https://crtc.gc.ca/eng/phone/mobile/num.htm
Further regulation covers number portability beyond the named carriers, and require all carriers to register with the CRTC, etc. https://crtc.gc.ca/eng/archive/2017/2017-11.htm In return, the CRTC helps guarantee access to the large players’ wholesale networks, though in practice the fight is still ongoing over newly installed fibre optic networks and the uncompetitive rates the incumbents charge for full speed service on their networks.
It’s not all good news - A particularly disappointing CRTC ruling followed Bell Canada’s recommendation that Canadian TV should only be provided via Internet if the household has internet from that TV provider directly. Which has effectively locked out any over the top competition such as YouTube TV from Canadian markets as they won’t be able to offer Canadian OTA channels. Sadly, I can’t find the ruling in the mess on the CRTC site, as CRTC language is obscure to say the least, but as TV is heavily regulated in Canada, the CRTC has old fashioned rules saying IPTV providers must provision a box and a line for service (Internet) in order to offer TV. This limits competition to only those willing to provide Internet in Canada to every household, or requires third-parties to negotiate with incumbents for access to such households. Existing third-party ISPs/Canadian IPTV companies go along with the above rules because nobody wants US providers entering the market, they just want to carve out cheaper Internet+TV price points with competitive Internet speeds that the incumbents don’t offer at competitive wholesale rates and benefit from a high switching cost where switching TV providers means switching ISPs knowing most people won’t do it. Until we have enough VOD content, Canadians are either pirating, using VPNs or paying their ISP for television, not having any other legal choices in this country...
While I can’t find the ruling just yet, here’s an article from 2015 highlighting Bell’s requirement that IPTV be restricted to ISP lines: https://www.cbc.ca/news/business/bell-crtc-25-basic-tv-1.375... And here’s an article where Bell refused to license their networks to VMedia’s Roku app arguing that by going over the public Internet, VMedia was running the content on a private network outside Bell’s control (Most IPTV providers find it cheaper to bundle with Bell’s VDSL) https://www.cbc.ca/news/business/bell-vmedia-iptv-internet-r... This later led to the ruling that only ISPs can provide TV...
Personally I’m more irritated by how much VOD content Bell has exclusive license to, such as their Crave+HBO, which is cheap for now, but helps Bell compete with channels offered by Amazon Prime Video. Corus, formerly owned by Shaw (another cable provider) licenses a lot of US content, and so might limit what content is available north of the border. It’s particularly hard to find VOD episodes from Turner and Viacom networks and the expanded licensing STARZ has with Hulu is completely absent north of the border. When you can’t find a show legally on any VOD network in your country including iTunes, what are you supposed to do...? CRTC rules are not making this any easier for Canadians to watch what they want, wherever they want (ISP requirement means your cell phone must also have service from your IPTV provider, it’s nuts), and on whatever device they want...
> changes last year to remove people’s ability to find others using their phone numbers.
What? That's not true, I reported the issue about user enumeration via phone numbers being possible in Whatsapp, Messenger and Instagram to them last week and they claimed (paraphrased) "it's a feature, not a security issue".
Do you intend to publish this correspondence? I think some companies prefer to sue people using these "features" instead of changing them. It's a good thing to have on record.
There's not much to publish. It is just me saying that a custom contact book allows finding out a lot of people's accounts, them saying that the behavior respects people's settings and is working as intended.
The new normal in public relations seems to be to make irrelevant or simply mendacious excuses which seem to suggest that they don't have a clue, but which actually show their contempt for their users.
In Vietnam, scammers use a few numbers to call the target first, making those number the "most frequent recently", then take over the target phone number. This security model is terrible.
Did you have a PIN/Passcode on the account [1]? That a 6-15 digit number you can set on an account that you have to supply when you call support, or have to give to your new carrier for them to get your phone number ported off of T-Mobile.
And then I match it with their personal phone numbers in the dataset (apparently its now offline, but maybe another one will reappear at some point).
And then I can just call these phone numbers and sell them stuff? And its perfectly OK because even if a dataset like this goes into the wild it acts as nothing more than "just a phone book"?
Heads up: when Facebook asks you to give them your phone number to "prevent you getting locked out of your account", they really just want it so they can identify your other profiles in datasets they've bought/own (e.g. WhatsApp). If you've ever given the service your number, you should consider your real identity linked to it.
> If you've ever given the service your number, you should consider your real identity linked to it.
I have a feeling it's worse than that. (I haven't rigorously perused the ToS, if I'm wrong please lmk.)
Let's say your friend John has an iPhone and saves your name and # in their contacts. One day John installs the Facebook app & opens it. John is not technical and when the app requests permissions he taps 'Allow'. At that point AFAICT there's nothing stopping Facebook from snagging your name & number and populating a ghost profile, or corroborating a real one.
In other words, if you've ever shared your phone number to someone who uses the Facebook app who doesn't dutifully and consistently reject permissions prompts, it's probably already too late.
I’ve confirmed this same type of behavior in several of Google’s products as well, as part of an experiment a couple friends and I ran a several months back, using fake personas, to see how feasible it’d be for one to simply exist w/o creating a digital footprint (let’s just say that our overall conclusions left me feeling very sad).
Facebook frequently suggested my own mobile number to add it to my account when after I logged into the mobile webpage via phone (I never used any Facebook apps).
My only explanation for that was exactly that it had been farmed from a friends contact list.
Would rather not share the details here, but I know of one instance of a person having been found on Facebook via her phone number even though she never provided it - just one imprudent person who has your number associated with your real full name is enough for this to happen.
You're exactly right. Add in the fact that Facebook can pose this as a puzzle to be solved, and attract a steady stream of sharp young people who can solve the puzzle without being bothered too much by the ethical consequences of solving the puzzle.
Facebook does indeed do that. One of the big reason of paying 22B for whatsapp is so that they could retrieve the entire friend graph of WhatsApp and use that to drive Facebook + Instagram MAUs.
The bigger the network, the more value a user gets, and the deeper the lock in.
It has been shown over and over again that both Facebook and Google will go to extreme lengths to know about their users’ lives and target them with precision ads. They are advertising companies foremost.
It would be interesting to see if there are ghost account numbers in the dataset. Depending on the country or region, would there be grounds for litigation if there were?
> you should consider your real identity linked to it
What is the point of these products if not linked to my real identity? That’s the whole idea of them. I use Facebook and WhatsApp to talk to people who know me. That’s why they want to talk to me. If they didn’t know my identity they would want to talk to me.
Of course your real identity is probably involved somewhere. It's just that I, and many others like me, don't think a third party should know what my real identity is. It's not their business.
Edit: Unfortunately it probably is their business. A poor choice of words.
No, not really. I don't apply for jobs, book flights or vote with my Facebook account. I'm not concerned with what kind of insights that Facebook can infer from a fake Mickey Mouse account. I'm concerned about the possibility of being discriminated against in the real world based upon data gleamed from my online interactions.
You can get discriminated when booking flights though and you get selective propaganda through your FB account though... so you individually may not be affected but your group, whatever that is, may be.
Off the top example: If four of your friends are buying gifts for your baby shower, this is a signal that your other friends have the intent to buy baby gifts and could be marketed to.
WhatsApp was specifically designed to be encrypted and private. Facebook, however, seems to play fast and loose with data. Sure you can talk to John Doe, but you might hope no one else knows that you're talking to John or what you're talking about. Useful, for example, to report a government conspiracy to a reporter.
That's not the only reason. They also allow advertisers to target based on specific phone numbers. It's one of the creepiest features, along with targeting based on e-mail.
OC is likely referring to Custom Audiences. Facebook let you hash a list of emails or phone number, share it with them, so they can compare with their own. It allows businesses to target their customers or prospects separately.
When you go shopping the casier asks your your home address and phone number, for invoice/bill. Then they upload your phone number to Facebook and advertise based on your purchasing history with them.
Brings to mind a question, I've got a throwaway google voice number for precisely this reason, some services will let me use it, others (even Google-tried using a GVoice number as a recovery phone number for a gmail account for my grandmother, nothing doing) wont, few just throw back a generic error, others will say they don't allow virtual DIDs.
Someone's going to say that's to cut down on fraud/increase security, right? Yet these services are going to (against many in the InfoSec world who are screaming "STOP DOING THAT") use SMS as a means of 2FA...
I'm a bit confused where the value add is for account security in making virtual telephone numbers such a hit or miss.
Real security is picking a unique password and not forgetting it. Letting someone handle your security by giving them your phone number in case you can't handle it was never a good idea.
Get a password safe, and don't forget your complex passwords.
2FA (through an third-party like an email provider or, even, dare I say it, an SMS provider; not TOTP) continues to protect you when your password is compromised by a backend-side database breach. They might get your password; they might get your TOTP token seed; but there's nothing in the DB that will allow them to receive an email as you and then click the link in said email.
Yes, allowing someone to reset their password through a second factor is bad; but that's not 2FA, that's two independent 1FAs.
This is a good distinction and absolutely right. The problem comes when people substitute good passwords for 2fa resets via phone. The problem with that is that the majority of usage now comes from the phone, so it's not really a second factor if you lose your phone. It's a complex problem that depends on the situation and really too complex to make a matrix of when it's ok for your average Joe. Passwords suck, and we still use them, because as a general rule, it's the best thing we have.
Kinda curious how you never find those dumps by a normal search on Google, basically you have no way to know if your data is there if you don't know where to look. I don't use Facebook but I always suspected my data is there due to friends having me in their contacts and using their apps.
It also indexes ftp, but that may unfortunately be coming to an end[1]. Ironically enough, Google's mission statement is still "to organize the world's information and make it universally accessible and useful", which if taken to its logical conclusion would mean such humorously delightful things as scanning for mongos and indexing their contents too...
You are likely in this database if you added your phone number to your Facebook account. There was a point where if you just typed a phone number into facebook it'd return the person who associated their account with that number.
The article says that each entry has an ID associated with a Facebook account. What leads you to think that there are entries in this dataset for non-users?
It's well known that Facebook collects information on non users as well, frequently called "shadow profiles.", Zuck admitted as much to Congress although he claimed not to know what shadow profile meant. [0]
Whether or not that information was part of this database isn't clear, but it also isn't something the parent comment claimed.
> You are likely in this database if even a single one of your contacts uploaded their contacts to Facebook.
Shadow profiles are old news. The suspect claim is that the parent comment is more informed on this database than the source that published it.
> Whether or not that information was part of this database isn't clear
Yes it is. According to the source this particular public data dump consists only of entries with IDs linked a Facebook account.
> Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account
I don't see why shadow profiles couldn't use the same ID system. why not?
For the parent comment saying they were in the data set: My initial interpretation was they meant if one Facebook user had done so, and you were also a Facebook user, whether or not you had provided your #, it was now associate with you. Your interpretation might be correct though.
Well, I never had an FB account. But I have friends who I know have contact search enabled on their phones, so they probably have my phone and maybe first name.
What would happen if millions of people changed their phone numbers and did not re-register them with new accounts? Does anyone believe a social effort could dissuade the use of phone numbers for tracking people? How much entropy would need to be added to the system before using phone numbers as identifiers became useless?
Is protocol if you find these things a security researcher not to share the link? I read about these leaks a lot and am always interested in viewing them but never can find them. I assume the links are shared with people carefully because a small number of people will use them maliciously.
Depending on the severity of the breach, yes it's generally considered best practice to notify the service first and give them time to deal with it. Depending on how bad it is, the person reporting it may be compensated for finding it. The company would generally fix the issue, and then the person who found it can make it public (based on their agreement with the company sometimes). The time period is often 90 days, but it could be worked out independently per case.
As with anything like this, consult a lawyer who knows this area of the law of you find yourself in this situation.
It’s never good to disclose PII. Dropping vulns after responsible disclosure is mostly considered ok, not so much with PII - it’s not the victims fault and can be damaging longer term.
If the vendor refuses to fix the issue, providing the media with enough redacted info to have them publish a story will force the vendors hand.
Imagine what's going to be found online after Libra is implemented - accounts, phone numbers and the history of purchases including supplier's name and type - a dream database for target advertising.
It's clearly a mongo database. I'm curious if there was no password because mongo doesn't password protect by default or if it was intentionally left public.
Do HN readers know you can buy lists of millions of people's names and phone numbers from companies whose sole purpose is collecting them, like infogroup?
Yes, you can get tons of personally identifiable information from things like public records laws and such. That's irrelevant, though. This is a phone number tied to a facebook account, not just their name.
A major difference here is the ability - at scale - to associate people with their facebook accounts. There are people who do not want to be associated with by their facebook account, and reasonably so. Not sure why you don't think that wouldn't be a big deal.
You're suggesting that Facebook is 100% accurate in determining whether a name is real, or a pseudonym.
Imagine this: someone is on Facebook and wants to hide their identity for some reason. Best examples I can think of right now is teachers who don't want their profiles accessible to their students (because high schoolers can be little shits). Or someone trying to create a new life after domestic abuse. It makes full sense that they wouldn't want to give their full name so that they can't be found. Facebook isn't good enough in real name detection to get it right 100%. How could they?
With this sort of dump, a domestic abuser can much, much more easily find the person they abused, when that person was previously under a pseudonym.
This is just a small example. It gets much more complicated when considering how many millions of phone number:Facebook IDs were released.
depends on the jurisdiction. In Germany this is a grey area or outright forbidden depending on the case, and this dump apparently contains numbers from numerous jurisdictions.
Also, needlessly to say someone who gives facebook their phone number for verification purposes does likely not expect that the data is leaked or sold without their permission.
> needlessly to say someone who gives facebook their phone number for verification purposes does likely not expect that the data is leaked or sold without their permission.
Sadly, this isn't the case anymore. People absolutely expect companies to sell or leak every last bit of PII data they have on all their customers now.
> The database was originally found by security researcher Sanyam Jain, who said that he was able to locate phone numbers associated with several celebrities. It's not clear who owned the database nor where it originated from, but it was taken offline after TechCrunch contacted the web host. There is no word on why the data was scraped from Facebook or what it was used for.
A less virtuous person would just pay criminals a hundred bucks or some other trivial fee to have direct access to the data that's being collected (and mishandled) about him. The song and dance required to keep these leaks out of public sight only enables victimizers, and there would be a magnet link in this very thread if they didn't have deep pockets and a vested interest in relegating this news to a one-and-half-page internet news blurb.
Hashing an IP address (or phone number) doesn't add much security because such hashes are easy to reverse. Better idea is to delete IP address after some short time. You might keep it for a week on month to prevent mass registration, but after that time you don't need it.
Is it that difficult to encrypt phone numbers before storing to a database? Or do they just use ridiculously easy to break encryption algorithms? Or does Facebook just not care?
Facebook used to have a feature that allowed users to find a profile if they have a phone number. I found it useful when I received a text from an unknown number. Especially to protect myself from being catfished.
If I understand correctly, someone collected all the queries and all the results and made a phonebook.
I think Facebook cares, but at the same time they always benefited from these measures where they let their users see as much as possible.
So... any way I can see if my number was in this database?
Pretty funny. Years ago I very-begrudgingly verified my phone# on my FB account as my employer had me working on a FB integration... I knew I should have upheld my principles and not used my personal account.
Oh yeah, this was a long time ago, and I have since adopted the same mentality :)
I think at the time the only way to be a Facebook Developer was to verify your identity via SMS (or something like that) and you couldn't just create a fake/pseudonymous account for development purposes. I assume that is still the case, but I have no clue.
It can be scraped even when it's "Only people who you have in contacts" (can't recall the exact wording right now), Facebook thinks it's a feature and that their privacy measures are working properly.
That's egregious but have you ever looked yourself up on any one of those crazy info scraping sites? usphonebook.com and dozens of their ilk? You might be shocked by what you find. Some colleagues had all old email addresses listed, not to mention correct current address and associated persons.
Point is, Facebook probably already have it, the Enemy probably can easily get it.
Facebook is of course evil, I don't want to diminish their scraping and also security mishaps.
That would be dangerous: it would be much easier to mine haveibeenpwned by enumerating phone numbers and see what sites have been hacked with a certain number. You would then know exactly which sites to target with which phone number, and that's already eliminating a lot of work. Get a password dataset or two in the darknet and you can now hack into many accounts.
There real catch with this is how all this information was public for so long. The average user still doesn't understand that they posted their PII to a searchable database, and ultimately the ramifications of doing so.
Even now, yes FB has restricted phone numbers, but a simple bot friending ppl on FB, which many users would blidnly accept requests from, would once again reveal all this data
> ..The data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new.
EDIT: Oh, you were asking "from where". I'd be curious to know the source of this database too, since it's probably just one of countless copies circulating..
Back then they were home phones, they belonged to a household more than an individual. You had to be home to receive calls. Telemarketers arrived fairly late in it's existence. Robocallers were rare. You couldn't be spammed with text messages.
White pages worked because there were less bad actors.
Not that "old." Some of those "update" dates are just a few days ago.