Since there's about 32 million leaked US numbers, but there potentially exist up to 10 billion, any hash function that would take a day to process the leak would still require over 300 days to bruteforce the whole space.
Granted, any number in the leaked set could still be trivially reversed when submitted -- but those were known already anyway, they are just associated with more metadata now.
You're right about that!
If I was to make a HN-friendly version, I'd probably make static JSON files that list all the numbers, indexed by the first four or so digits. When you enter a number, the first digits are sent to the server, and the appropriate JSON file is returned. That list is then searched client-side for the full number and the result displayed. The code should be simple and easy to verify that the full number doesn't leave the client, while maintaining the same simple user interface I already have. Variations of this idea could be more secure (i.e., only enter the start of the number and search for your number yourself in a long list) but less user-friendly.
I don't actually have any plans on implementing this though. I feel satisfied enough with what I have.
(I don't think hashing would work because the address space is too small and reversing is too easy. There aren't any email addresses.)
And you're right, the only way to build a HN-friendly version would probably be to basically do the checking client-side, since any additional information you send to the server could be directly used to narrow the search space.
I think I read that there are some email addresses in the leak though; wasn't HaveIBeenPwned searching only for those, but not for numbers?
I’m not seeing that. If Facebook recognizes the phone number, it offers to send an SMS to that number or to send an email to an obfuscated email address (like r***@***).
At most, you learn that the user’s email starts with an “r” as in example above. And possibly the numbers of letters in the username, but my experiments indicate that Facebook is not telling you the precise number of asterisks to deduce the length.
Maybe when you tried it, you were using a known device (eg., having an IP address from which you logged into Facebook on an earlier occasion), and therefore Facebook was offering you more detail, such as your username. Could you try a random phone number from the 533M leaked numbers and see if you still get the username?
At a minimum, what this search allows is confirmation that a phone nnumber is associated with an existing Facebook account.
But, if it is GET requests in the URL over http, yeah, that is leaving a trail.
Any 3rd party JS analytics has access to everything, though.
But a telephone number is telling the website operator at most that the phone might be associated with you, but all he learns about you is your IP address and possibly your browser fingerprint. He doesn’t get your name, Facebook ID, email address, interests, password, or anything else.
Now you might say that he can see your Facebook ID or email address in the list of leaked data, and possibly through the Facebook password reset user interface as well. But he could have done that anyway without you ever having supplied the phone number. He has the entire leaked list and it seems that pretty much anyone can get the leaked list with modest effort.
Furthermore phone numbers by themselves carry very little information because they are not sparse. If I give you a correctly formatted 10 digit number like nnn-nnn-nnnn, there’s a quite good chance that it’s a working North American telephone number. By correctly formatted, I mean that it has a valid area code, that the prefix doesn’t begin with a 1 or 0, that the prefix is not 555 (that’s for movies you know), etc. If you follow those rules, I once worked out that you’d have a 20% chance that you’d get a working phone number.
The point is that keeping your random 10 digit phone number off the Internet offers you no additional security or privacy. Phone spammers can test call every possible North American telephone number just as hackers can scan every IP4 network address in the world (only 2^32 of those).
Associating the phone number with your name is bad, I agree. That allows targeted attacks (and targeted spam calls). But you are not giving your name to this website operator. You’re giving him 10 digits — he could have pulled 10 digits out of thin air and it would likely have been someone’s phone number anyway.
If my phone number could be linked to my Facebook data then I am giving away a lot more information than just my phone number.
Best case scenario, they link a phone number to my IP address which is dynamic. They can narrow my IP address down to the the general area, but phone number area codes already accomplish that.
People seem to forget that we used to have things called PHONE BOOKS which had people's addresses and phone numbers publicly available...
I don't know of anywhere that has leaks for free, but I'm not really involved in that world so maybe it exists.
magnet:?xt=urn:btih:0435a5d392107f3e5b0b047d204c8cec98e31e72&dn=facebook_leak&tr=udp://tracker.openbittorrent.com:80&tr=udp://tracker.opentrackr.org:1337/announce
At least I think that's probably it. Not 100% sure.
Edit: Yeah seems legit. It has me in it. It has my phone number, name, facebook ID, address (though note that it is just the address you tell Facebook - mine is just "London, UK" which isn't even up to date), and then a date. Not sure what the date is; possibly retrieval time? Most are between 2016 and 2018.
The data is separated by country and it seems it isn't perfectly consistent (i.e., the Australian data is one CSV file while the American data is six colon separated files), so there's effort in adding each additional country.
I get so many spam calls I'm afraid to enter my number anywhere.
Select-String "(firstName\b)+:(lastName\b)" '.\theUnzippedFolder*.txt'
I'm not familiar with windows at all but this worked for me testing names I already know are in the txt and I found some people with names like mine but not me, phew It wouldve been faster to just open each text and control+f but I guess I learned something useful.
I deleted my account a while back. (Well, whatever Facebook calls “deleted.” Incidentally, did you know you can’t delete your HN account, even if you email them and ask?) Curious whether there’s any data for me at all in this breach.
Reason enough right there not to link an email to your HN account
I'd use that but not searching by phone number.
