The data might be from an old breach, but the data are also unlikely to change very often, so is more than likely current for a large proportion of those who have been exposed (phone number, date of birth, full name, etc).
I deleted my (outdated) phone number from facebook years ago and it's still part of the leak, with my name and gender in it. I did not replace the phone number with another phone number. Really says something about what delete means for fb.
Yep, my guess is they just pop in a flag that says "not current" or "former" or something. Think about what someone could do with this data though. They can unfreeze your credit report. Apply for a loan or credit card or mortgage. All they need is your name, DOB, SSN (or just last 4), and the last 3 addresses you resided at.
How many years ago did you delete your phone number? This is not a recent dump of data, it is just recently been made more widely available. I believe the original leak was some time in 2019.
i have had an idea. The last time i deleted my facebook account, it had been a 6-7 year old legacy thing and i ended up with manually deleting stuff, photos videos, contacts, calender entries. then waiting for months. I had an idea. This was back when "shadow profiles" had appeared on the news. i figured if i outright delete the account, maybe it would keep it in a "deleted because not coming back" DB. instead if i deleted stuff, maybe the idea would be "okay.. routine stuff.. delete"
apparently both my ideas were wrong but good thing i don't use any facebook property, don't use whatsapp or isntagram and am a hermit. I had telegram since 2015 but since signal whatsapp thing happened, i stopped using it.
:-/
> Really says something about what delete means for fb.
Since the storage of data is so cheap, any company will archive data, for future profit.
Why did you believe any data will be deleted in the first place? Were you counting that government will take action if it finds out? Are there any case like this in the past.
I find it surprising even programmers believe their data will be deleted by the company.
Most people even programmers believe a company will delete their data.
Whats your background? Are you a coder?
I am a co-author of the site.
We are already aware of your concerns about giving out your phone number. The source code is free and reviewable on Github. We know it's not possible to verify what's running on a server but we hope it adds a level of trust.
We are currently hashing all phone numbers so we don't have to deal with them anymore. We will keep you updated.
Facebook should email those affected... surely they know who was compromised or not. Shouldn't have to use random sites for this. Why has there been no communication from them?
The leak doesn’t provide much. The backlash of sending an email will instantly be way worse than what was actually leaked. Far worse leaks happen routinely from big names. However Facebook’s negative reputation would sway so far against it, you’d think Facebook had doxxed every one.
I don’t particularly like Facebook or any big corporation FYI.
Can someone bcrypt all these phone numbers & emails and make that public? Share the salt and then everyone can just test their own phone number without sending it to some rando
There is sourcecode for both front and backend and the creators linked their names. So check the sourcecode and decide whether you trust the people involved that this is actually the code that is running the site
Even if they were running it with nefarious purposes, it's barely even data. All they could realistically "harvest" would be knowing that the user behind a certain IP address was curious as to whether this or that number was a telephone number in the leak, and there's nothing to guarantee that the number belongs or ever belonged to the person looking it up, or even whether it is an actual telephone number or not.
I could see the "big-data" value of that information if they managed to get a significant proportion of the population to check this website, but even that would be barely worth the effort.
When they identified that my data was part of the link, they included an obfuscated first and last name - first letter plus length of each. If they were harvesting data, they certainly appear to already possess it.
They are in the EU, which means that you are protected by the GDPR. And the websites clearly states that no data is being harvested. I believe that two italian teenagers would not want to get sued to bankruptcy :)
Not sure what’s going on but it says my number is not part of the leak, but I’ve checked myself and it is actually leaked. Just be aware that it may not be complete.
Hmm I haven't given facebook a phone number. How can I check if my account is included in the leak? Haveibeenpwned doesn't include facebook in the leaks with my FB email, but I'm not sure I'm checking in the right place.
No one else wanted to try, but I had a feeling my data is breached (seems to happen every few months?)
Anyhow, my phone number had a hit and they showed my first and last initial and corresponding asterisks; seems legit.
For people saying "why enter your phone number into random site" -- not sure how much value a phone number provides without the accompanying information.
I typed my phone number, and it was not found. I'm not too surprised. I never wanted Facebook to have my phone number (and my account is deactivated, though I still use Messenger.) I always ignore prompts for phone numbers on a site/app like that (if at all possible).
From what I can see, this site sends your whole number to the backend to search for a number in the dump[0], while haveibeenpwned.com will hash the input, send only a prefix to the server and receive a list of hashes with the same prefix. If your hash is in the list, you've been pwned, but you can check without leaking your data to HIBP.
Edit: I just checked, seems like the form on the frontpage of HIBP also submits your complete email/phone number. Pretty sure I read about how you don't have to submit your personal data to validate against HIBP, not to long ago...
I think this is the really interesting legitimacy vacuum that hacks like this place us into. The official source on this is silent and may stay silent for a long time. People who wait for an official, safe answer may need to wait a long time. On the other hand, the illicit nature of the data makes it legally questionable for other organizations to step into the role of notifier.
So why enter your info on a random site? Because it may be the lowest (definitely not zero) risk way to check if your info is in the leak. If you wait or you build your own thing you may risk less, but balancing the risk with the certainty of obtaining an answer requires a real level of expertise.
Does seem like an easy way to collect phone numbers.
1) no indication that there's any rate limiting here beyond a 2 second cooldown (thanks for that, grenoire), but I only tested it using burp intruder community edition, and I only tested it on a set of numbers guaranteed to return false. If anyone wants to test a range with a known-leaked number in it, up to you.
2) it's very possible that if there is rate limiting, it acts invisibly.
But if there's no rate limiting as I suspect, someone can easily just iterate through this data set and extract every number (well, until cloudflare trips the requests). Alternatively, someone can request a large set of numbers that includes their own in order to fuzz the range their own number is in.
I'm looking forward to the sequel, "Have I Been 'Have I Been Facebooked'ed" when it turns out this is just a data harvesting operation.
If you don't want your phone number leaked don't hand it over to a random website that pinky swears it won't keep it. It's maybe not a scam, but still...
Aren't telephone directories a thing anymore? At least in my country you can just search for a person online and see their phone number. Someone's phone number seems like the least sensitive PII.
In Australia, phone directories don't generally include mobile phone numbers, and with the massive shift from landline phones to mobile phones over the past decade, this means many people are completely gone from the phone directory. I suspect it may be a similar situation in other countries - the phone directory still exists, but is increasingly useless.
The view of the sensitivity of phone numbers and home address as PII has changed with this trend too.
[+] [-] aiur|5 years ago|reply
"This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019" - FB
[+] [-] s279|5 years ago|reply
[+] [-] emayljames|5 years ago|reply
[+] [-] bryan_w|5 years ago|reply
[+] [-] shnp|5 years ago|reply
[+] [-] SamuelAdams|5 years ago|reply
[+] [-] frankacter|5 years ago|reply
[+] [-] kome|5 years ago|reply
[+] [-] 2Gkashmiri|5 years ago|reply
apparently both my ideas were wrong but good thing i don't use any facebook property, don't use whatsapp or isntagram and am a hermit. I had telegram since 2015 but since signal whatsapp thing happened, i stopped using it. :-/
[+] [-] wbercx|5 years ago|reply
With that said my details do not appear to have leaked.
[+] [-] prakashn27|5 years ago|reply
[+] [-] pytlicek|5 years ago|reply
[+] [-] joe45643234|5 years ago|reply
Since the storage of data is so cheap, any company will archive data, for future profit.
Why did you believe any data will be deleted in the first place? Were you counting that government will take action if it finds out? Are there any case like this in the past.
I find it surprising even programmers believe their data will be deleted by the company.
Most people even programmers believe a company will delete their data. Whats your background? Are you a coder?
[+] [-] helb|5 years ago|reply
[+] [-] robthebrew|5 years ago|reply
[+] [-] obiShawnKenobi|5 years ago|reply
[+] [-] MarcoBuster|5 years ago|reply
[+] [-] x3sphere|5 years ago|reply
[+] [-] type0|5 years ago|reply
It's not like they care even a bit. And they wouldn't win any goodwill from it. If you have been zucked, you've been zucked, that is it.
[+] [-] skinnymuch|5 years ago|reply
I don’t particularly like Facebook or any big corporation FYI.
[+] [-] tonymet|5 years ago|reply
[+] [-] szundi|5 years ago|reply
[+] [-] runeks|5 years ago|reply
Just enter your email and the site will tell you whether your email has been harvested by https://haveibeenfacebooked.com/
[+] [-] jmchuster|5 years ago|reply
[+] [-] atoav|5 years ago|reply
[+] [-] s_dev|5 years ago|reply
Other than Troy Hunt being well known and building a reputation on being a white hat security guy.
In the world of data the only thing you can trust in absolute terms is encryption. Anything else involving people involves shades of grey.
[+] [-] Mordisquitos|5 years ago|reply
I could see the "big-data" value of that information if they managed to get a significant proportion of the population to check this website, but even that would be barely worth the effort.
[+] [-] Arainach|5 years ago|reply
[+] [-] simonke|5 years ago|reply
[+] [-] tngranados|5 years ago|reply
[+] [-] nottorp|5 years ago|reply
[+] [-] chillwaves|5 years ago|reply
Anyhow, my phone number had a hit and they showed my first and last initial and corresponding asterisks; seems legit.
For people saying "why enter your phone number into random site" -- not sure how much value a phone number provides without the accompanying information.
[+] [-] neogodless|5 years ago|reply
[+] [-] CloselyChunky|5 years ago|reply
Edit: I just checked, seems like the form on the frontpage of HIBP also submits your complete email/phone number. Pretty sure I read about how you don't have to submit your personal data to validate against HIBP, not to long ago...
[0]: https://github.com/Fumaz/haveibeenfacebooked-api/blob/master...
[+] [-] ultrafez|5 years ago|reply
[+] [-] Flatcircle|5 years ago|reply
[+] [-] aeturnum|5 years ago|reply
So why enter your info on a random site? Because it may be the lowest (definitely not zero) risk way to check if your info is in the leak. If you wait or you build your own thing you may risk less, but balancing the risk with the certainty of obtaining an answer requires a real level of expertise.
Does seem like an easy way to collect phone numbers.
[+] [-] eyeareque|5 years ago|reply
[+] [-] Z0rb|5 years ago|reply
[+] [-] discordance|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] challengly|5 years ago|reply
[+] [-] flixic|5 years ago|reply
https://fbhack.lekevicius.com
All the numbers that I know for sure to be in the leak return "not found in the leak" on this site.
[+] [-] eganist|5 years ago|reply
1) no indication that there's any rate limiting here beyond a 2 second cooldown (thanks for that, grenoire), but I only tested it using burp intruder community edition, and I only tested it on a set of numbers guaranteed to return false. If anyone wants to test a range with a known-leaked number in it, up to you.
2) it's very possible that if there is rate limiting, it acts invisibly.
But if there's no rate limiting as I suspect, someone can easily just iterate through this data set and extract every number (well, until cloudflare trips the requests). Alternatively, someone can request a large set of numbers that includes their own in order to fuzz the range their own number is in.
[+] [-] sumeno|5 years ago|reply
If you don't want your phone number leaked don't hand it over to a random website that pinky swears it won't keep it. It's maybe not a scam, but still...
[+] [-] rvba|5 years ago|reply
[+] [-] Kiro|5 years ago|reply
[+] [-] ajdlinux|5 years ago|reply
The view of the sensitivity of phone numbers and home address as PII has changed with this trend too.
[+] [-] MrGilbert|5 years ago|reply
[+] [-] hmsimha|5 years ago|reply