The Facebook phone numbers are now searchable in Have I Been Pwned (opens in new tab)

If you’re a EU citizen contact your local data protection authority and file a complaint. It literally takes 5 minutes.

Did you deactivate or delete your facebook account?

As I understand, deactivation is temporary, deletion erases all data.

But if people did delete their accounts and Facebook didn't erase the private data, aren't there consequences to this?

Yeah these companies that rely on user data will NEVER delete your data once you submit it to them (regardless if they say your data is deleted or account closed). For company like FB you are the product.

My experience is completely opposite to yours. I have a facebook account, phone number added and verified, profile privacy set to "friends only", but I can't find myself in the leaks.

I deleted my phone number around mid-2018 and it’s also part of the leak tying the phone number to my name and gender

https://news.ycombinator.com/item?id=26708923

I got a bunch of spam phone calls today.

Couldn't it be there from someone who knows you? I was under the impression that Facebook grabbed people's contacts list on mobile apps.

Mark Zuckerberg's phone number is there too.

My phone number (and some other details) were part of Nano Ledger's database that got stolen last year. So, some entrepreneurial scammer started calling me on a daily basis a few months ago. Really annoying. I'm well aware my phone number and email addresses are pretty much public information at this point. I actually put that on my web site even. But stuff like this makes me even less likely to answer unknown numbers. Hilariously, the scammer actually called me while I was giving a security briefing to our company about enabling 2FA. I put him on speaker and we had a good laugh while the guy insisted in broken English laced with expletives that he "had my money".

A few months ago some criminals social engineered themselves past my bank's security as well. The first I learned about this was a funny conversation (by phone!) from an actual Deutsche Bank employee asking me if I recently changed my address and phone number and whether I opened ten new accounts. "eh no?!..." Basically their fraud detection system kicked in before these people did any damage. I made a point of not doing anything else than confirming information they already knew (like my old address, email address) and asked for an on site meeting to discuss things in more detail. I realized instantly I had no way of verifying anything I was being told on the phone and might very well be talking to a scammer. As it turns out this was for real and the person actually managed to find my "old phone number" in some archive. Otherwise all my contact information had already been changed by the scammers. Thankfully I answered that call. Apparently, this happened to several people.

Basically, what happened was some persons just called the bank's help desk, asked them to reset my online banking access codes, and then somehow intercepted the pin codes (thanks Deutsche Post) before they reached me. The theory is that somehow the security of the distribution system was compromised. As far as I an tell, nobody broke into my building or mailbox. Then started they using them to change my address, etc. They got caught only when they created sub accounts and started transferring money.

Possibly, but we can't do that either. What we need is some balance of both worlds. OOH, we do actually need to be contactable. OTOH, being too contactable means spam. I doubt there's a perfect balance, but either extreme come with too many problems.

Email has decent spam filtering, and I think that kind of cat-mouse system will persist. That said, there's "room" for more whitelisting.

I get a lot of value out of being reachable by people I do not yet know.

It's a hard problem to crack. Some legitimate places need to be able to call you without you knowing them ahead of time. Say your sibling was mugged in Mexico and the local little police station let them borrow the landline to call the only number they still remember without having to check their contacts in their phone. Are you not going to pick up?

There are a lot of these little edge-cases. Journalists, lawyers representing class action suits, government id expiring, and so on.

I do that already. Prevented e.g. Hult MBA from pitching their exquisite high-end educational services...

I already don’t accept any calls. The robocall stuff in the US is out of control.

Let's not forget the notable case of Twitter "accidentally" using your provided phone number for advertising purposes [0], and to this day still banning you after registration if you refuse to give it.

[0]. https://www.eff.org/deeplinks/2019/10/twitter-uninentionally...

Sadly, many companies now require a phone number to use their services. For example: Signal, Telegram, Whatsapp, social networks like Instagram and Vk. They don't like anonymous users. For some users, Google requires a phone number to sign up. Twitter requires a phone number if they see something "suspicious" in user's behaviour.

I feel like saying "after you!". What's that Google? No phone number? Oh...

Not to mention whatsapp is actually broken. It's bound to your phone number and can't change it. If you change SIM, your account is wiped. AND the worst: your contacts are not notified so if they send a message to the old number, it will just silently fail. Absolutely horrible. I never understood how whatsapp could be phone-number bound and not account bound like everything else out there.

I've been using a MySudo phone number to use for signups when I'm forced to give out one. Has reduced the noise i get in my messages for my real number

https://mysudo.com

It's crazy the a phone number is a secret. The problem isn't having the phone numbers; it's all the terrible systems that only work if phone numbers are secret.

Sorry for your loss. Right now I'm pretty happy that I scrubbed all information of my FB account months ago. If only people could stop using messenger so I could delete it.

But I have a similar, but unrelated to FB, problem in that every month I get an offer to work as a nurse in Norway from different agencies. I figured they scraped some "find the number"-site here in Sweden long ago and since my mothers name was on my bill I guess my number somehow came up under her name.

It's been annoying for years but since my mother had a some (non-corona) medical problems last year it has been downright infuriating at times. Anyone know how to make it stop when there is a bunch of different agencies messaging you?

My deepest condolences.

I think it's pretty hard to stop incoming spam when the number itself has been made public.

The only options I know would be: a. Play whack and mole, report the number to the authority in your country that handles this kind of spam activity. b. Use some kind of mobile application that filter out the spam SMS. This one is kinda hit and miss, since the number data is coming from community reports, so some spam might pass the filter. And there might be some false positives from the spam filter.

I also would like to hear if there's alternative solution for this problem, other than changing the phone number itself.

My phone has an option called Do Not Disturb mode. I have set a schedule to turn it on everyday from 12AM to 11:59PM. What Do Not Disturb will do is block (silence the notification or ringer) every message or call from someone that is not in your phone book. While unfortunately you'll still get the spam SMS, but you wont get the alert.

The only way I can see striking back at these spam calls is to pick up the call and waste their time, because its expensive. Also if I pick up that means someone else is not getting scammed. I try to get as far along in the scam process as possible.

Very sorry for your loss and thank you for sharing.

If you only mean "how not to be bothered" (instead of radical actual solutions of legal nature etc.), and the sender is a recurring number, very probably your phone OS has an option to reject calls and/or messages from specific numbers.

If you are in the US you can register at donotcall.gov

It's not perfect, but it has had an impact on the amount of spam I receive.

I can’t imagine telling everyone I know that I’m changing my number every couple years, and I’m not even calling/messaging a lot of people nowadays. I have a family member who did something similar(not on purpose) and I still have 3 of her numbers and still get confused which is the working one.

"Anyway it's probably good practice to recycle your number every few years, and not use it for 2FA to make switching numbers a lot easier."

Ironically Twilio of all places forced SMS 2FA on all accounts earlier this year.

As in, one day you could no longer log into your twilio account without giving them a phone number. You are locked out until you do.

Ironic in a few ways ...

First, twilio numbers are not mobile numbers - they are voip numbers - and cannot be used for most 2FA authentication services because they cannot receive messages from short codes. So it's ironic that twilio forces you to use a non-twilio number for their 2FA.

Second, many twilio use-cases (like mine) involve building a twilio infrastructure to replace my existing phones/numbers ... and now that is broken from the bottom up because I have to use a mobile phone with a fixed provider just to use twilio.

The bottom line is: none of this is for me or my safety and security. Twilio has a spam problem and that spam problem is very hard to solve. Forced pairings of physical phones and SIM cards is just a desperate way to throw sand in those gears to slow it down a little bit.

In my limited experience, I've had more phone spam plus wrong number calls right after changing phone numbers due to the number being recycled.

I've had the same phone number for somewhere around 17 years. I kept this number even as I moved across the country (US).

I don't recall ever giving my phone number either and my number is detected by HIBP..

> At least it makes sense why I received a bunch of spam calls over the weekend.

Really?

Every phone number is already known to anyone who wants to get it.

> When ordering online, always, always, always use a fake number, it's not required

Don't do this if you order anything that doesn't ship small parcel. The freight company may need to contact you and it will complicate matters and delay your final delivery.

> When ordering online, always, always, always use a fake number, it's not required

Until something's gone wrong in the process and they need to call you to clarify/fix it. (happens regularly to me due to address suffixes not propagating correctly through crappy systems)

I do something similar when a site asks for my birthday, i used to pick a random date, but sonce its sometimes used to reset password or asks u to confirm i just use the first of january of the year i was born so i can make sure i remember what i put.

I change my phone number every year and I get spam calls all the time.

>Change your credit/debit cards yearly (say to your bank you 'lost' it).

Huge shoutout to/for privacy.com. Been using for over a year now and it's been a fantastic service.

Did you ever set up SMS 2fa? Did any of your contacts use the Facebook app to sync their contacts (at least at one point a default behaviour)? Then Facebook has your number. I remember when I still used it being promoted by a bar at the top of the web UI "Is this your number?" With my actual number suggesting I add it to my profile, so I know they have mine.

Try creating a new facebook account today. The site won't let you do that without verifying a phone number. The difficulty level increases if you try doing so behind a vpn. Same goes for other SM sites like Twitter.

Haha, no. It’s enough if one of your friends/relatives/etc. had allowed Facebook/Instagram/WhatsApp/etc. to scan their contact list. Your phone number is in there, just not shown, trust me.

In fact Facebook used to show creepy suggestions when such cross-pollination of data occured, like “Click here to confirm that XXXXXX is your phone number!”, but they stopped doing that a few years ago.

My number is on my profile, so that my friends can contact me shall they lose my number. Less important now that messenger exists and we can access it any time, but I put it there before it existed. It's come in handy in the past.

I also don't consider my phone number "sensitive" information I want to keep secret - it's already quasi-public and something I give out when I want people to be able to contact me.

I grew up looking people up in the physical phone book when I lost their number, fwiw.

Many companies present you with the opportunity to "Protect Your Account" with SMS, and for that protection they 'just' need your phone number.

Turns out the phone number is the best unique identifier and is the perfect key for joining up lots of disparate sources of data. It's the kind of thing that you could either sell directly or use as an index to determine things like your estimated income.

It wouldn't surprise me if Facebook has had multiple technical methods for devising/stealing and disingenuous "protect your account" campaigns for willingly turning over users phone numbers.

It is very convenient for your friends/family to be able to get your phone number from your facebook profile.

I have used it a few times to contact people for whom immediate contact was preferable to facebook post/message.

I have my phone number and mailing address on my Facebook, set to friends only.

Why not? When I grew up, we had a phone book listing everyone’s name and address and phone number so you could find them to contact.

I consider all of this essentially public information and would rather make it easier for people I know to contact me. If it gets lost in a breach, whatever. I already get plenty of junk mail because I give to charities and they sell my address.

In addition to other reasons already given, I'm not sure if this is still the case because I haven't used Facebook in a while, but back in the day, the only options for 2FA were code generator in the Facebook app itself or SMS. So if you didn't want to have the Facebook app on your phone, giving them a phone number was the only way to enable 2FA.

Your comment is disingenuous. Facebook has been around for nearly two decades. There's plenty of time there for people to make mistakes and try to fix them. Unfortunately they're competing with their contacts who re-add those same mistakes and also competing with Facebook's own incentives to not delete data.

It'll be fun if/when any of these numbers can prove they requested Facebook to delete their data under GDPR.

I believe their app uploads the address books of other people and those address books might contain your phone number and other details.

Troy has covered this several times, but some sites, even showing in the PwnedWebsites list, are not viewable until/unless you confirm control of the email address or Domain.

e: To be clear, the Ashley Madison, and Adult Friend Finder (both breaches) are denoted on the list as not being publicly searchable.

I just checked myself and thankfully I've apparently only been in a few breaches, but of the ones listed, I only knowingly had accounts on LinkedIn and Dropbox. Nothing embarrassing because I'm smart enough to use burner accounts for embarrassing stuff, but I only even recognize last.fm and LuminPDF as services. I'm surprised last.fm still exists. I guess I might have signed up for it at some point and forgotten.

My phone number isn't in here anywhere, so lucky me, but it doesn't make a difference. The State of Texas finally forced me to get a Texas driver's license in order to continue being able to vote, and the State of Texas sells your address and phone number to marketers once they have it, so my number is trash now anyway. 99 out of 100 texts and calls are either politicians or people claiming to want to buy one of my houses. I basically no longer use a phone except when my dad calls.

I guess the plus side there is I'm somewhat immune from whatever location tracking can't be disabled since I don't even take my phone with me most of the time when I go anywhere, but that was an old habit from when I worked in a SCIF and couldn't bring a phone with me anyway.

I did a lot of searching through the Ashley Madison dump back when it came out. It was pretty easy to find people living on my neighborhood that had accounts. They might not have done anything (it was just billing details after all) but any of that information could have easily been used to blackmail someone. There were also a whole bunch of people using .gov or .mil email addresses. Like if you are going to cheat on your wife, don't make it that easy for someone to realize that you can be exploited for government secrets.

It's set up so that you have to prove you own the email address before knowing if you're included in "sensitive" breaches.

Funny that I never thought about this.

Now I'm wondering how this actually plays with legislation such as CCPA or GDPR, as it is quite revealing even without the more delicate sites mentioned here.

Thanks.

For anybody getting a miss and wondering if they messed up the formatting, my US number is coming up now, formatted with a vanilla +1-123-456-7890.

According to the edit at the bottom of the post, "1" is now complete.

Only ~32m of ~190m US FB accounts were in this breach, so it's not surprising if you live in that country and are not in the breach.

Thanks, I was looking for that. Aside from linking my name to my cell phone number (which I really can't even assume is private anymore) there's nothing private in there for me.

Seems to be missing Australia, I was curious to see what data had been leaked about me, since it seems to vary significantly.

What damages have you incurred?

Over the years, many people who were stuck in the Facebook platform have been coerced by Facebook into providing a phone number to “verify” their account. The other choice given to them was (and is) to lose access to the account because Facebook believes it’s a fake account or a spam account or a “violation of its community policy”.

In other cases, Facebook may get the phone number because someone uploaded their address book/contacts to it. This information shouldn’t be in the user’s public/private profile (even though Facebook would store it internally, use it to figure out other connections and “show relevant ads”).

I haven't used facebook in years, but if I remember correctly it was part of your account verification in some cases.

I don't know but I never gave my phone number to Facebook (but I also never used the app, only the website).

I think you may have allowed Facebook to allow other Facebook users to search for your profile via your number. Can you check my earlier comment at https://news.ycombinator.com/item?id=26712835 and let us know whether or not this is/was the case?

> "Facebook Settings > Privacy > How people can find and contact you > Who can look you up using the phone number you provided?"

Is/was it set to "Everyone"?

It's not at all a random website. haveibeenpwned is renowned. Your phone number is not uploaded to the server, instead your browser asks for a whole range of (hashed) phone numbers and checks locally if yours was one of them.

The process is spelled out here: https://haveibeenpwned.com/Privacy

how do you know it was leaked? got spam?

Thanks, because the end of the blog post mentions 8 instead of 9:

> At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading. The other codes are in progress and may take several hours more before they're searchable.

So I was like: what about another 8?

Edit: Actually, it is "4, 6, 7 and 8"! cf. https://twitter.com/troyhunt/status/1379377818618884098

I'm really sorry for the situation you're in but,

> they bear the moral responsibility for all the people who will be affected by this

Facebook should not be held responsible for dictatorships and totalitarian regimes killing people - even if they use Facebook's leaked data to do so. It's quite unfortunate, but the responsible party to blame is still the people actually doing the killing.

This is excellent advice. Years ago I had a misspelling of my name on my drivers license. Very easy to find the source of all my junk mail after that!

Not all phone numbers have finished uploading, check the blog post for details.

> One thing I didn't find on the website was a way to get an email with the actual data that was leaked so I can evaluate what's at stake. Showing it online would be poor privacy but sending it to the email should solve that.

Not it would not solve that since HIBP would have to store that data (which they currently don't) and thus might be subject to leaks themselves.

Fixed now.

Not really surprising. That just sounds like a UI option. You realize they still have to store it right?

I trust Troy more than I trust Facebook. His incentives are aligned with staying honest.