"Currently, we don't know if Facebook has fixed the vulnerability since the company hasn't released any statement regarding the breach."<p>"This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019" - FB
I deleted my (outdated) phone number from facebook years ago and it's still part of the leak, with my name and gender in it. I did not replace the phone number with another phone number. Really says something about what delete means for fb.
Troy just added phone number search to Have I Been Pwned as well: <a href="https://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/" rel="nofollow">https://www.troyhunt.com/the-facebook-phone-numbers-are-now-...</a> (<a href="https://news.ycombinator.com/item?id=26709848" rel="nofollow">https://news.ycombinator.com/item?id=26709848</a>)
I am a co-author of the site.
We are already aware of your concerns about giving out your phone number. The source code is free and reviewable on Github. We know it's not possible to verify what's running on a server but we hope it adds a level of trust.
We are currently hashing all phone numbers so we don't have to deal with them anymore. We will keep you updated.
Facebook should email those affected... surely they know who was compromised or not. Shouldn't have to use random sites for this. Why has there been no communication from them?
Can someone bcrypt all these phone numbers & emails and make that public? Share the salt and then everyone can just test their own phone number without sending it to some rando
Not sure what’s going on but it says my number is not part of the leak, but I’ve checked myself and it is actually leaked. Just be aware that it may not be complete.
Hmm I haven't given facebook a phone number. How can I check if my account is included in the leak? Haveibeenpwned doesn't include facebook in the leaks with my FB email, but I'm not sure I'm checking in the right place.
No one else wanted to try, but I had a feeling my data is breached (seems to happen every few months?)<p>Anyhow, my phone number had a hit and they showed my first and last initial and corresponding asterisks; seems legit.<p>For people saying "why enter your phone number into random site" -- not sure how much value a phone number provides without the accompanying information.
From what I can see, this site sends your whole number to the backend to search for a number in the dump[0], while haveibeenpwned.com will hash the input, send only a prefix to the server and receive a list of hashes with the same prefix. If your hash is in the list, you've been pwned, but you can check without leaking your data to HIBP.<p>Edit: I just checked, seems like the form on the frontpage of HIBP also submits your complete email/phone number. Pretty sure I read about how you don't have to submit your personal data to validate against HIBP, not to long ago...<p>[0]: <a href="https://github.com/Fumaz/haveibeenfacebooked-api/blob/master/src/api/app.py#L21" rel="nofollow">https://github.com/Fumaz/haveibeenfacebooked-api/blob/master...</a>
I have made a similar site, but just for Lithuanian numbers:<p><a href="https://fbhack.lekevicius.com" rel="nofollow">https://fbhack.lekevicius.com</a><p>All the numbers that I know for sure to be in the leak return "not found in the leak" on this site.
So, a few things.<p>1) no indication that there's any rate limiting here beyond a 2 second cooldown (thanks for that, grenoire), but I only tested it using burp intruder community edition, and I only tested it on a set of numbers guaranteed to return false. If anyone wants to test a range with a known-leaked number in it, up to you.<p>2) it's very possible that if there is rate limiting, it acts invisibly.<p>But if there's no rate limiting as I suspect, someone can easily just iterate through this data set and extract every number (well, until cloudflare trips the requests). Alternatively, someone can request a large set of numbers that includes their own in order to fuzz the range their own number is in.
I'm looking forward to the sequel, "Have I Been 'Have I Been Facebooked'ed" when it turns out this is just a data harvesting operation.<p>If you don't want your phone number leaked don't hand it over to a random website that pinky swears it won't keep it. It's maybe not a scam, but still...
Aren't telephone directories a thing anymore? At least in my country you can just search for a person online and see their phone number. Someone's phone number seems like the least sensitive PII.
This is the first time when I see the UAE being called ARE in a country list. I even went and asked Google, and it turns out there is in fact one ISO standard that calls it ARE. All the others, including ITU (we are talking about phone codes, after all) call it as UAE. Really strange choice of naming standard for something phone-related.
Be aware that this site doesn't seem to be the whole story, it doesn't match me for example, but this one does: <a href="https://jstsch.com/facebook/" rel="nofollow">https://jstsch.com/facebook/</a> (NL only)<p>So there's some ambiguity or incompleteness somewhere.
I wish there was an "email" input. Last time I had a Facebook account was 10 years ago (probably before phone numbers were de facto identity) and I would be fascinated to learn if my old accounts were in the leak, because Facebook was supposed to fully delete those accounts :)
If you don't want to input your full phone number, you can use this tool: <a href="https://codeeverywhere.ca/apps/fb_data" rel="nofollow">https://codeeverywhere.ca/apps/fb_data</a> .<p>Searches use partial data from multiple fields to find matches.
my 2c security tips:<p>- i trust my browser and site owner version :
text in clear<p>- i barely trust site owners ( if a match is found they still have access the fact that I've verified that number ) :<p>hash each phone address hashed ie using bcrypt and using a composed salt ( ie : site address + email in the account + phone address ) so rainbow table will be impossible to use
( this because phone numbers are low entropy and even without rainbow table IMO are not that very secure )<p>than ask user for the hashed version in the text field ( also write a linux terminal style command that can be used to hash given salt and hashing , or redirect to a trusted hasher service online (multiple links can be provided ) )<p>both text fields can be provided to allow the user a choice
I'm a little skeptical this is accurate. Supposedly 1/3rd of my country's population is in this leak, yet not one of the 40 people i tried in my contacts list appears on the leak.
The website says no, but after downloading the whole dataset and doing a quick search using "grep -rnw" I got my current phone number in addition to that of my grandfather's (also on FB), so even if the site says you're not facebooked, please check the raw data available on pastebin archive (<a href="https://archive.is/MZqak" rel="nofollow">https://archive.is/MZqak</a>)
I am annoyed. I haven't updated my Facebook in years so most of the data is out of date and I use a separate phone line for personal correspondence, but I do still have a Facebook account for the occasional friend/family that uses messenger. This might be the final nail in the coffin for me and get me to delete my account.<p>Maybe I can finally get my last couple of friends to switch to Signal.
The phone numbers put into this website can be trivially reversed despite of the false sense of security the phone-number disclaimer provides: <a href="https://code.express/docs/blogs/facebooked/" rel="nofollow">https://code.express/docs/blogs/facebooked/</a>
anyone know of one of these sites where they don't send your phone number / email to the server? The /search endpoint phone_number param has your number.<p>They should instead hash your number client side and test the hash.
yeah not going to use any search tool where i need to enter my number ... you could just post the data by area codes..... just create a bland UI that lists all area codes ..let user click into the area code and then on the next page list all the phone numbers in that area code that have been affected.<p>I'd use that but not searching by phone number.
Already getting spammed hourly by text messages pointing me towards URLs I should click.<p>AFAIK there isn't much awareness about this leak amongst most of FB's userbase: Less tech-savvy and 40yrs ++.
```
Facebook account ID
First name: P**
Last name: N***
Gender
Relationship status
Location
```<p>:: squints ::<p>I'll grant you, this is much more problematic for some than me. But for me, this is, roughly, analogous to my actual LinkedIn, Github, or Hacker News profile, which link to my resume (which has my phone number), combined with a squint at my age and a guess.<p>There's a <i>lot</i> worse that could be leaked.