I've never been an FB "person", but maybe 6-7 years ago the local running club moved to scheduling <i>everything</i> on FB. For a while, the page was "public", but then you had to have an account (which required a phone number) to see anything other than the club's "landing page". So I ended up making an FB account which I've only ever used to be able to see the club pages (I haven't ever posted anything!) -- dumb of me I know, but FB had almost become a requirement to participate in life.<p>However recently, I've noticed that I now get a couple of junk text every day or two whereas up until a few weeks ago, I don't think I'd ever had a single junk text.<p>I wonder if this is why.
There's a good discussion on this by Troy Hunt[1].<p>> But for spam based on using phone number alone, it's gold. Not just SMS, there are heaps of services that just require a phone number these days and now there's hundreds of millions of them conveniently categorised by country with nice mail merge fields like name and gender.[2]<p>> Another general observation on this incident: I'm seeing <i>extensive</i> sharing of the data, both the entire corpus of countries and individual country files. Not just in hacking circles, but very broadly on social media too. This data is everywhere already.[3]<p>> New breach: Facebook had 2.5M addresses exposed in an incident that impacted 533M subscribers' phone numbers. Most records contained name and gender, many also included DoB, location, relationship status and employer. 65% were already in @haveibeenpwned[4]<p>> If we look at the data, email is rare, DoB is rare so the greatest impact here is the phone numbers. Even though it’s “only” 20% of FB users, the number is obviously substantial thus so is the impact[5]<p>[1]: <a href="https://twitter.com/troyhunt" rel="nofollow">https://twitter.com/troyhunt</a><p>[2]: <a href="https://twitter.com/troyhunt/status/1378485999781613569" rel="nofollow">https://twitter.com/troyhunt/status/1378485999781613569</a><p>[3]: <a href="https://twitter.com/troyhunt/status/1378513457209696256" rel="nofollow">https://twitter.com/troyhunt/status/1378513457209696256</a><p>[4]: <a href="https://twitter.com/haveibeenpwned/status/1378554902100635659" rel="nofollow">https://twitter.com/haveibeenpwned/status/137855490210063565...</a><p>[5]: <a href="https://twitter.com/troyhunt/status/1378474534760685568" rel="nofollow">https://twitter.com/troyhunt/status/1378474534760685568</a>
To put this in perspective, Faceboook just leaked information about, at most, 1 in every 15 people, <i>in the world.</i><p>(Less, depending on the number of folks with multiple accounts, which FB seems to try to prevent?)
Not just Zuckerberg's, but Dustin Moskovitz and Chris Hughes are there as well. Interesting to see who has low user IDs in the dump.<p>Also mildly entertaining to see some names that are probably test accounts now associated with Facebook people in Google as people try to see who they are.
According to this tweet, this shows the Zuck himself uses Signal: <a href="https://twitter.com/michilehr/status/1378666681451569153" rel="nofollow">https://twitter.com/michilehr/status/1378666681451569153</a>
This is why I call for zero-knowledge information exchange, decentralization, and genuine end-to-end encryption. The most secure data is data you don't have, and any company which claims to store data "securely" is grossly irresponsible. Even the world's largest tech companies with access to truly staggering engineering budgets can and will leak your data. It's not if: it's when.<p>We need to regulate this.
You can find him on Signal now <a href="https://mobile.twitter.com/Daviey/status/1378645798439768064" rel="nofollow">https://mobile.twitter.com/Daviey/status/1378645798439768064</a>
I don't much care about my phone-number being leaked. Why because I don't answer my phone, unless I know who is calling. I do get lots of spam calls every day but thanks to my smart-phone spam-calls can be blocked. And if the hackers want to steal my identity, they cannot answer my phone and thus pretend to be me, can they?<p>Remember all phone-numbers used to be in a public book called "Phone Book".
Just putting this out there - I still haven't received any kind of message from Facebook about the breach... I'm pretty sure in some Countries they have an obligation to notify users.
I'm not on Facebook for 2years, but I'm thinking about downloading the database just to see If I'm in it. I don't care about other records. Or do I have other options to figure it out?<p>Edit: I forgot about haveibeenpwned.com. Any info about when they will add this leak?<p>Edit2: Haveibeenpwned added 2.5 million email addresses. But it's possible that my record doesn't have email.
The 10 digit number space is completely filled up, so you can just call/text numbers at random and be almost sure it reaches someone.<p>So I think it's time to use UUIDs instead. They're hard to type, but you hardly ever need that.<p>What am I missing?
The data is missing some people like former Facebook executive Jay Parikh. One possibility: they never put in a phone number into their Facebook account.
I can say that this is interesting; the founder of Facebook itself is a victim of a leaked data. I wonder how much would it cost to buy Mark Zuckerberg's phone number?
Someone (or a script) flagged Ronson who had posted direct links.<p>I only tested the Norway link in his post but that was legit.<p>(I first verified with Virustotal and then thought twice before opening the zip file.)
If this were a game of intrigue, it would provide plausible deniability for anybody who got caught with his contacts. Would have been fun to include that in the article.