> The answer is: use HIBP, or <a href="https://haveibeenpwned.com/" rel="nofollow">https://haveibeenpwned.com/</a>. They’ve got the technical (and social) bits of this process right!<p>While I'd trust HIBP more it isn't doing anything significantly different with the lookup process, is it?<p>"There's no k-anonymity implementation for phone numbers at this point in time." <a href="https://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/" rel="nofollow">https://www.troyhunt.com/the-facebook-phone-numbers-are-now-...</a><p>Putting a number sends it directly in the GET request: <a href="https://haveibeenpwned.com/unifiedsearch/%2B1%20123%20456%20789" rel="nofollow">https://haveibeenpwned.com/unifiedsearch/%2B1%20123%20456%20...</a><p>Edit: as does looking up an email. It's password lookups that use local hashing/k-anonymity: <a href="https://haveibeenpwned.com/Privacy" rel="nofollow">https://haveibeenpwned.com/Privacy</a>
If you're on the "facebooked" list your number is already disclosed and correlated to you and your email address - inputting it onto a website to see if it's one of the compromised will have absolutely no effect.
Well, it’s sending a sha256 for your phone number, how is this not good enough? How you would expect to check the number in the database without hashing or passing it clear?
So, the main point of this article to avoid that site, is that they could google SHA256 for a known simple number, namely "11111111111" and boom!, this way the site programmer would reverse back to know your number?<p>If that's the case I suggest he would google Bitcoin's SHA256 numbers too. Heck, at ~55k USD per bitcoin, he would become, literally, multimillionaire overnight. What a buffoon! And it hit HN top as well, pfff.
I'm more annoyed with the security community making it so hard to get access to the raw leak. There's a weird elitist attitude of "only we can handle the data" even though every black and white hat in the world already grabbed it.
The two sites seem to have different sources, however - HIBP claims neither my email nor my phone number were involved in the FB leak, while the "Facebooked" site correctly identified that my number was tied to my name and other pieces of information.
What of this version, which sends 99 random numbers along with your real number?<p><a href="https://www.thenewseachday.com/private-facebook-phone-numbers-us" rel="nofollow">https://www.thenewseachday.com/private-facebook-phone-number...</a>
A safer way: just download the dump for yourself and Ctrl-F your number.<p>An <i>even safer way</i>: Look at your phone log. If you haven’t received 25 spam calls in the past week, your number probably isn’t in the list.