253 comments

[ 3.1 ms ] story [ 295 ms ] thread
I just logged in to Facebook for the first time in years to check the data it has on me. Luckily I never added my phone number or address, so should hopefully be in the clear.
Did you ever set up SMS 2fa? Did any of your contacts use the Facebook app to sync their contacts (at least at one point a default behaviour)? Then Facebook has your number. I remember when I still used it being promoted by a bar at the top of the web UI "Is this your number?" With my actual number suggesting I add it to my profile, so I know they have mine.
I have had the exact same experience. Interestingly, it took them a few tries to get to my actual number and they still carried on throwing other random phone numbers I did not recognize.
Despite using 2FA and listing my number on my profile - albeit restricted to "just me", I don't appear in the data. It's not as simple as they just having a record of it somewhere.
I'm in the same situation and very surprised. I've sat here wondering if I'm entering my numbers wrong, or if I'm really not in it. I've read the blog post and I'm entering the 1 in front of my 10 digits, because I'm in the USA.

My wife's number isn't in there, either. I'm just really surprised, because I checked facebook the other day and it said I was searchable by email and phone number.

I even searched my email address, and a lot of other breaches show, but not Facebook.

I guess I got lucky?

US numbers are not uploaded yet
Ah, that makes sense then. I assumed they were because the instructions showed the US style specifically.

Thanks!

Likewise, it seems there's more nuance to this leak. I checked the data out and a large number of my contacts have correct numbers in it. At the same time, numerous people don't appear in it, even if they do have a phone number on their profile.
I've been intentionally breaking my social graph since at least 2012.

Looks like its worked here.

When I make a Facebook account, usually for my living complex's community or a bunch of Gen-Xer's doing a burning man thing, I use a new email or new phone number for signup and one time passwords.

I don't let it get access to my contacts, assuming I inadvertently installed the Facebook app on a phone.

Doesn't look like they meaningfully go deeper than that.

I find the social graph to be very fungible, so if I really ever want to recreate it I can just add my phone number or give any app access to my contacts. This knowledge also lets me not be married to any of these services.

I'm very content downloading the account data and then deleting the account.

Try creating a new facebook account today. The site won't let you do that without verifying a phone number. The difficulty level increases if you try doing so behind a vpn. Same goes for other SM sites like Twitter.
I don't think that's true. I created a Facebook account a few weeks ago and a Twitter account just yesterday, both without needing a phone number.
By all accounts, anyone can create an account, but then the account invariably quickly gets suspended, requiring a phone number for “verification”.
Don't they have a "real person" policy now? ie. not only phone number but as well a requirement to upload a passport style photo. Concidentally on entrance to US a camera makes a high resolution photo of every traveller during passport control.
I believe they have always had this policy, though it wasn't particularly well enforced when they opened up the platform to all comers. I actually had a Facebook account before I even first got a mobile phone at all, back in 2004 when you needed a .edu email address to sign up, which just meant they were delegating identity verification to the university. I think people were fairly comfortable with it back then because the only other users who could see you were people from the same school and it just mimicked the physical "facebook" that universities already published and made available to everyone with directory listings including your official photo and the phone number and room number of your dorm if you lived on campus. There was no open network. You could only even search for people from your own school.

Obviously, the platform has radically changed since then, but they have gotten a lot of mileage out of the illusion that you could freely share what you wanted because the only people who were going to see it were people who already knew you anyway, which was at least somewhat true at first.

Haha, no. It’s enough if one of your friends/relatives/etc. had allowed Facebook/Instagram/WhatsApp/etc. to scan their contact list. Your phone number is in there, just not shown, trust me.

In fact Facebook used to show creepy suggestions when such cross-pollination of data occured, like “Click here to confirm that XXXXXX is your phone number!”, but they stopped doing that a few years ago.

> "One last note on the data load process: At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 9 have completed loading. The other codes are in progress and may take several hours more before they're searchable."

https://twitter.com/troyhunt/status/1379366099544797189

Thanks, because the end of the blog post mentions 8 instead of 9:

> At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading. The other codes are in progress and may take several hours more before they're searchable.

So I was like: what about another 8?

Edit: Actually, it is "4, 6, 7 and 8"! cf. https://twitter.com/troyhunt/status/1379377818618884098

I'm completely unsurprised that my phone number is in there despite the fact that I deleted and closed my account 10 years ago.
I deleted my phone number around mid-2018 and it’s also part of the leak tying the phone number to my name and gender

https://news.ycombinator.com/item?id=26708923

Similar experience. Class action?
(comment deleted)
I started taking and deleting my data off FB 5 years ago, after I knew better. I'm only on FB because of messenger, and checks FB less than once a month.

I think that's a better approach than suing them and getting the $10 from a class action.

We don't know exactly when the data was exfiltrated, just that it ended in early 2019. It could have been taken at any point before that time.
Yeah it could be, will have to wait for more details first.

I would not be surprised if FB kept that phone number with a "deleted" flag to this day though.

Earliest date in one of the columns (last login?) is something around 2019-04-28.
Yeah these companies that rely on user data will NEVER delete your data once you submit it to them (regardless if they say your data is deleted or account closed). For company like FB you are the product.
Data leaks like this are positive in that regard because we can prove they haven’t complied with GDPR quite easily if our deleted data comes up.
Couldn't it be there from someone who knows you? I was under the impression that Facebook grabbed people's contacts list on mobile apps.
So, that begs the question: If _my_ phone number is in someone _else's_ contacts, is it still _my_ phone number?
It's your phone number (or possibly also the phone number of the person who had it before you) but, like images of yourself, they're probably in tons of places that you don't control and never will.
It is still PII which sometimes has specific laws and rules around its use depending on where you are.

If I give someone's social security number to a company that doesn't mean they can publish it on the front page just because the person it belongs to didn't hand it over.

My understanding is that all numbers in the dump correspond with Facebook accounts, so this shouldn't be the reason.

Another option would be that someone else has that number listed for their account. Has Facebook always required confirmation that a number is valid? I saw one my friends' numbers in the data except the account had a different name.

Did you deactivate or delete your facebook account?

As I understand, deactivation is temporary, deletion erases all data.

But if people did delete their accounts and Facebook didn't erase the private data, aren't there consequences to this?

> As I understand, deactivation is temporary, deletion erases all data

That's the problem, what we or regulators understand may well be very different to what actually happens

> aren't there consequences to this

A slap on the wrist at best, I'd bet my house on it

'Erases' all data, or sets the is_deleted flag.
Full delete. I was very careful about it at the time.
If you’re a EU citizen contact your local data protection authority and file a complaint. It literally takes 5 minutes.
(comment deleted)
Relevant links.

"What should I do if I think that my personal data protection rights haven’t been respected? "

https://ec.europa.eu/info/law/law-topic/data-protection/refo...

"European Data Protection Board Members"

https://edpb.europa.eu/about-edpb/board/members_en

Yes, please do this if you are protected by European regulations.

I also wish we could do more to put pressure on Facebook and other bad players. Can’t help thinking this is viewed internally as just more work for the legal department followed by an X billion euro “cost of doing business” fine after so many years.

And Facebook will promptly ignore that too: https://ruben.verborgh.org/facebook/
1. That article is about downloading, not deleting.

2. You don't negotiate with Facebook, you norify the regulators so they can asses another billion-euro fine.

How much money can you get as damages?

Answer under the GDPR is probably: 0EUR.

It’s not the point. You can sue for damage if you want, but that is something else. The point of the regulation is to punish bad actors, not give money to users.
(comment deleted)
I'm not sure citizenship is required?
Indeed, citizenship is not required. You just need to be a resident.

It would be hard to argue that privacy is a human right and then limit the protections to citizens.

In German legal thought and practice, we have the distinction between Buergerrechte (civil rights, perhaps) and Menschenrechte (human rights).

The former is for citizens, the latter for everyone.

In the US, privacy falls in something like the former: there are supposed to be legal safeguards to keep US citizens from being spied on, but eg the NSA wiretapping foreigners is fine and even encouraged.

> In German legal thought and practice, we have the distinction between Buergerrechte (civil rights, perhaps) and Menschenrechte (human rights).

That is my experience in a couple of other European countries as well. Of course, some rights are reserved to citizens: vote (although that is changing for local elections), things like service at embassies and consulates abroad, and some aspects of immigration.

But except for these narrow aspects, the law should be the same for everyone: we are not a caste system.

Voting has already been open for people from other EU countries in local elections for quite a while.

> But except for these narrow aspects, the law should be the same for everyone: we are not a caste system.

I agree that it should, but the biggest factor in most people's life is not silly things like voting, but the right to work.

Billions of people would like to live and work in the EU and the US, but are not allowed.

(/verytrivial cries in Brexitish ...)
The UK hasn't abolished their implementation of the GDPR (yet?) so you should still be to file a complaint with the ICO (AFAIK; IANAL).
My experience is completely opposite to yours. I have a facebook account, phone number added and verified, profile privacy set to "friends only", but I can't find myself in the leaks.
My understanding of the dump is that it was scraped, thus it's non exhaustive by nature. There's only half a billion accounts in it after all, and Facebook has far more.
One thing I didn't find on the website was a way to get an email with the actual data that was leaked so I can evaluate what's at stake. Showing it online would be poor privacy but sending it to the email should solve that.

Some of the leaks are from companies I don't even know, that work behind the scenes aggregating information. Particularly for those I'd like to see what was leaked. For the services I actually used directly I have a clearer idea.

> One thing I didn't find on the website was a way to get an email with the actual data that was leaked so I can evaluate what's at stake. Showing it online would be poor privacy but sending it to the email should solve that.

Not it would not solve that since HIBP would have to store that data (which they currently don't) and thus might be subject to leaks themselves.

Links to the actual data (allegedly): https://pastebin.com/sq7UDyVb
Seems to be missing Australia, I was curious to see what data had been leaked about me, since it seems to vary significantly.
This set is missing Australia yes, but not the other set Troy Hunt was sent - he covers this in his blog post and tweets. There are at least two sets floating around. The ones loaded into HIBP do contain Australian numbers - I've checked.
Thanks, I was looking for that. Aside from linking my name to my cell phone number (which I really can't even assume is private anymore) there's nothing private in there for me.
I searched my number(s), no hits. I did a +/- a few numbers, and there is a hit. The message is though: "Oh no — pwned!"

The only information exposed to me is that the person with that number, has a FB profile. If I am to trust FB (which I don't - for nothing) is that FB has this person's number and lost it. I place no reliance to anything that FB states. For all I know that person is a WhatsApp user and the FB branch 'stole' the number and added that to their FB account (yes, I know this is not how data works, but this is how FB works).

(semi-rant follows - apologies)

There is a mention of 2FA/MFA in another comment. I wouldn't be surprised if FB already has a 'super profile', where all data by FB-WA-IG are merged. I believe that would be a nightmare to do, but hey, FB is good at nightmares.

Edit: I feel this is a semi "Ashley Madison" moment. People who have a 'secret' FB profile may get busted by their BFs/GFs.

What do you expect? Passwords aren't security, they're a programming construct.
I'm sure not to be the first one to point this out, but checking other people's emails is quite revealing. It's very much documenting in public which sort of websites about every person you know is visiting. Among them [1] "Baby Names", "Ashley Madison", "Adult FriendFinder", "diet.com". Want to profile your friends – there you are.

I wonder if the benefits of haveibeenpwned outweights this.

[1] https://haveibeenpwned.com/PwnedWebsites

Troy has covered this several times, but some sites, even showing in the PwnedWebsites list, are not viewable until/unless you confirm control of the email address or Domain.

e: To be clear, the Ashley Madison, and Adult Friend Finder (both breaches) are denoted on the list as not being publicly searchable.

I just checked myself and thankfully I've apparently only been in a few breaches, but of the ones listed, I only knowingly had accounts on LinkedIn and Dropbox. Nothing embarrassing because I'm smart enough to use burner accounts for embarrassing stuff, but I only even recognize last.fm and LuminPDF as services. I'm surprised last.fm still exists. I guess I might have signed up for it at some point and forgotten.

My phone number isn't in here anywhere, so lucky me, but it doesn't make a difference. The State of Texas finally forced me to get a Texas driver's license in order to continue being able to vote, and the State of Texas sells your address and phone number to marketers once they have it, so my number is trash now anyway. 99 out of 100 texts and calls are either politicians or people claiming to want to buy one of my houses. I basically no longer use a phone except when my dad calls.

I guess the plus side there is I'm somewhat immune from whatever location tracking can't be disabled since I don't even take my phone with me most of the time when I go anywhere, but that was an old habit from when I worked in a SCIF and couldn't bring a phone with me anyway.

It's set up so that you have to prove you own the email address before knowing if you're included in "sensitive" breaches.
I did a lot of searching through the Ashley Madison dump back when it came out. It was pretty easy to find people living on my neighborhood that had accounts. They might not have done anything (it was just billing details after all) but any of that information could have easily been used to blackmail someone. There were also a whole bunch of people using .gov or .mil email addresses. Like if you are going to cheat on your wife, don't make it that easy for someone to realize that you can be exploited for government secrets.
Funny that I never thought about this.

Now I'm wondering how this actually plays with legislation such as CCPA or GDPR, as it is quite revealing even without the more delicate sites mentioned here.

What a great service to gather phone numbers even from those who haven't been pawned!
I trust Troy more than I trust Facebook. His incentives are aligned with staying honest.
Every time Facebook/Gmail/Google/Amazon/LinkedIn/Tinder/whoever asks me to give them phone number "just in case" my first and only thought is "hell no". I haven't been wrong a single time.
Sadly, many companies now require a phone number to use their services. For example: Signal, Telegram, Whatsapp, social networks like Instagram and Vk. They don't like anonymous users. For some users, Google requires a phone number to sign up. Twitter requires a phone number if they see something "suspicious" in user's behaviour.
Let's not forget the notable case of Twitter "accidentally" using your provided phone number for advertising purposes [0], and to this day still banning you after registration if you refuse to give it.

[0]. https://www.eff.org/deeplinks/2019/10/twitter-uninentionally...

I’ve been using Twitter to follow some people who don’t have blogs etc since last May, and haven’t been banned yet.

Lots of likes, no RTs or posts though.

Facebook did this as well.
(comment deleted)
Twitter is especially silly in that regard. The info page on why my account was banned implied that one of my tweets violated the community guidelines - although I never tweeted anything.

Even more frustratingly, there is a form to appeal a ban. After filling out that form, I got a confirmation mail stating that Twitter will "respond as soon as possible", or in other words, never.

I do not understand why they bothered to implement all that hijinks to waste my time. Simply disallowing signups without phone number would have been much simpler and less dishonest.

Haven't given them my number on any of my twitter accounts. Where does this banning rumor come from?
I had that experience, maybe they are more forgiving to IPs coming from certain countries or locations. IPs from my country tend to be treated as suspicious (not as bad as Tor but bad enough to be an annoyance) so as soon as I registered ok Twitter I got a notice about "suspicious activity" and about having to validate a phone number to be able to use the account. At that time (2015 I think, I don't have the account anymore) you could get around that by contacting support, explaining that you don't have a phone number and waiting a few days for them to manually unlock the account.

Edit: this happens with Google and Yandex as well, requiring phone number to sign up (Yandex can unlock you if you contact support). Microsoft isn't as bad and can work with just a secondary email instead of a phone number. Also the whole country is banned from downloading the Lynx web browser at https://lynx.invisible-island.net/

>as soon as I registered ok Twitter I got a notice about "suspicious activity" and about having to validate a phone number to be able to use the account. At that time (2015 I think, I don't have the account anymore) you could get around that by contacting support, explaining that you don't have a phone number and waiting a few days for them to manually unlock the account.

Same thing happened to me last year in the US. The kicker was that they automatically opt you in to product update, daily digest, etc. emails. But those emails don't have a 1-click unsubscribe - the unsubscribe link takes you to your account settings, which you can't access when your account is disabled. So you can't unsubscribe from the emails or delete the account.

You can either add a phone number to stop the spam, or search around to find the page where you can submit a ticket (because there's not a support link on the disabled account page) and hope someone gets to it eventually. They never even replied to my ticket, they just silently unlocked the account after a week or two.

It's crazy the a phone number is a secret. The problem isn't having the phone numbers; it's all the terrible systems that only work if phone numbers are secret.
Phone numbers are not secret. These service ask for it mostly to be sure to get the right one (checking is expensive) and/or to have plausible deniability of your contentment when they abuse it later.
I feel like saying "after you!". What's that Google? No phone number? Oh...
Not to mention whatsapp is actually broken. It's bound to your phone number and can't change it. If you change SIM, your account is wiped. AND the worst: your contacts are not notified so if they send a message to the old number, it will just silently fail. Absolutely horrible. I never understood how whatsapp could be phone-number bound and not account bound like everything else out there.
I've been using a MySudo phone number to use for signups when I'm forced to give out one. Has reduced the noise i get in my messages for my real number

https://mysudo.com

Are they not blocked for being VoIP?
I've only run into one instance where they wanted a real number. (Coinbase) I think sites only block those when there's a reason to.
If my banks are all willing to use my Google voice number, then any other site should be willing to as well. And yet, most websites that want a phone number won't take it. My GV account is in use for WF, Discover, PayPal, Steam, and it was previously in use at BofA when I had an account with them.
Troy says: " At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading."

Interestingly, several cellphone numbers I know to be present in one set of leak data which start with international code 4 are not detected by HaveIBeenPwned.

Interestingly www.TroyHunt.com is blocked by Quad9 DNS!
Can I sue Facebook for leaking my number? Serious question.
What damages have you incurred?
Identity theft most likely, and the consequences arising from that.
What is the monetary amount, and do you have evidence of the theft?
I'm speaking hypothetically of course, I haven't actually been affected by this leak (so far).

But that doesn't seem hard to prove at all. At the very least, you could claim that Facebook's leak forced you to pay for identity theft protection/monitoring as a very reasonable precaution, and whatever that cost you would be the damages.

Then of course there's the possibility that someone did actually steal your identity and used it to drain money from your accounts, or simply caused you to waste a bunch of time hunting down for example fake accounts opened using your information, credit cards, etc.

And I'm not a lawyer, but I'm pretty sure somewhere in all this fuckupery you can throw in some punitive damages.

What?

How you gonna steal someone's identity just by knowing their phone number? You know that's something that hundreds of people and organizations already know?

It's not just their phone numbers, I've looked at the data myself and it's this:

* full name

* phone number

* country/state/city of residence

* country/state/city of birth

* relationship status

* date of birth

* employer

* email address

That's enough to do identity theft, enough to scam people (just look up Jim Browning's various videos on youtube), and with social engineering techniques the sky is the limit on what can be done with this information.

This page [1] suggests that "non-material damages (for example distress)" are sufficient to "claim compensation from the website [...] as they have breached the data protection law by not providing adequate security".

I've gotten spam calls since the breach, sometimes in the middle of the night while trying to sleep. That's distress.

[1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...

Is it just me or... why do people even share their phone number with Facebook? What did you use it for? It wasn't mandatory or anything. Why the Pikachu faces?
It is very convenient for your friends/family to be able to get your phone number from your facebook profile.

I have used it a few times to contact people for whom immediate contact was preferable to facebook post/message.

Your comment is disingenuous. Facebook has been around for nearly two decades. There's plenty of time there for people to make mistakes and try to fix them. Unfortunately they're competing with their contacts who re-add those same mistakes and also competing with Facebook's own incentives to not delete data.

It'll be fun if/when any of these numbers can prove they requested Facebook to delete their data under GDPR.

I have my phone number and mailing address on my Facebook, set to friends only.

Why not? When I grew up, we had a phone book listing everyone’s name and address and phone number so you could find them to contact.

I consider all of this essentially public information and would rather make it easier for people I know to contact me. If it gets lost in a breach, whatever. I already get plenty of junk mail because I give to charities and they sell my address.

I believe their app uploads the address books of other people and those address books might contain your phone number and other details.
My number is on my profile, so that my friends can contact me shall they lose my number. Less important now that messenger exists and we can access it any time, but I put it there before it existed. It's come in handy in the past.

I also don't consider my phone number "sensitive" information I want to keep secret - it's already quasi-public and something I give out when I want people to be able to contact me.

I grew up looking people up in the physical phone book when I lost their number, fwiw.

In addition to other reasons already given, I'm not sure if this is still the case because I haven't used Facebook in a while, but back in the day, the only options for 2FA were code generator in the Facebook app itself or SMS. So if you didn't want to have the Facebook app on your phone, giving them a phone number was the only way to enable 2FA.
Many companies present you with the opportunity to "Protect Your Account" with SMS, and for that protection they 'just' need your phone number.

Turns out the phone number is the best unique identifier and is the perfect key for joining up lots of disparate sources of data. It's the kind of thing that you could either sell directly or use as an index to determine things like your estimated income.

It wouldn't surprise me if Facebook has had multiple technical methods for devising/stealing and disingenuous "protect your account" campaigns for willingly turning over users phone numbers.

Note to anyone that cares: Make your data as stale as possible: you can't change your address easily, sure. But you can recycle phone numbers (once a year, minimum). Change your credit/debit cards yearly (say to your bank you 'lost' it).

When ordering online, always, always, always use a fake number, it's not required. Always use a fake name where possible. Sure, you need to provide that as a 'billing' address, but in some cases it stops other third parties getting that info (on eBay you can type a random name to ship to, I've had fun with this :) ).

But lastly, LOL. Giving your data to facebook this is what you deserve, and for society accepting facebook as a standard part of life.

When do we protest to delete the website?

> When ordering online, always, always, always use a fake number, it's not required

Until something's gone wrong in the process and they need to call you to clarify/fix it. (happens regularly to me due to address suffixes not propagating correctly through crappy systems)

This is region dependent. In spanish speaking countries they pretty much never use email. Everyone - including the courier will just call you.
> When ordering online, always, always, always use a fake number, it's not required

Don't do this if you order anything that doesn't ship small parcel. The freight company may need to contact you and it will complicate matters and delay your final delivery.

I do something similar when a site asks for my birthday, i used to pick a random date, but sonce its sometimes used to reset password or asks u to confirm i just use the first of january of the year i was born so i can make sure i remember what i put.
Doesn't that kinda negate the goal of using a fake birth date? After all, they don't really care whether you give your real birth date, it's enough that it is the same on that other website they get your personal information from to correlate.
I don’t care if someone leaks my fake DOB in a Dropbox hack and then tries to reset my Netflix password.

Websites that use my real DOB are usually linked to my identity, so I’m much more concerned with protecting them from, eg social engineering attacks [0].

[0]: https://gizmodo.com/how-i-lost-my-50-000-twitter-username-15...

Yes this is my thought as well.
When birthdate is tied to an account, I pick a random one and store it alongside the username and password in KeePass. Same as the "security questions"; I make up and store nonsensical answers. E.g. "Q: What was your mother's maiden name?" "A: Blueberry pie."
I do the same thing but use KeePass’ password generator to create the answers. My mother’s maiden name will be something like “diejdJyt7ejHsud”
I do that as well, but I dread the moment I'll have to call support through no fault of my own and they'll ask me for the answers to some of these questions.
I mean, probably anyone could call and start reading off the letters from "correcthorsebatterystaple" and the support tech will go "oh yeah, you're one of those people who thinks they're clever with security; here are all your account details"
Just say, "it's a jumble of letters and numbers but I lost the USB drive where I stored all that stuff."

Most of these systems still use people who have quotas to meet, and can see all of your account details in some sort of admin panel.

>Change your credit/debit cards yearly (say to your bank you 'lost' it).

Huge shoutout to/for privacy.com. Been using for over a year now and it's been a fantastic service.

I change my phone number every year and I get spam calls all the time.
(comment deleted)
A note for people with US numbers who aren't finding their info:

> And finally, one last note on the data load process: At the time of publishing this blog post, all phone numbers beginning with international codes 4, 6, 8 and 8 have completed loading. The other codes are in progress and may take several hours more before they're searchable.

US numbers begin with international code 1, and it seems that they aren't yet searchable.

I was surprised that mine hadn't come up, since I've had a few Facebook accounts over the years with my phone number, and this explains it.

(comment deleted)
Thanks.

For anybody getting a miss and wondering if they messed up the formatting, my US number is coming up now, formatted with a vanilla +1-123-456-7890.

My US number also came up when entered as 12345678901 (1-prefixed but with no extra formatting or chars)
"When you search any of the endpoints on Have I Been Pwned, you can add a + prefix if you like and it'll be automatically stripped off when performing the search. Same with spaces and same with dashes."
According to the edit at the bottom of the post, "1" is now complete.
Interesting. I've still got no hits, which surprises me.
Only ~32m of ~190m USA Facebook accounts were in this leak. The US is surprisingly poorly represented-- a good thing!
As a foreigner I would say this is a bad thing. Ultimately, it'll be the outcry (or lack thereof) in the US that will determine whether or not Facebook will start taking people's privacy more seriously.
It's still 32 million people, that's huge. But you're totally correct there.
Given that the overall share of US accounts on Facebook is in the same range (FB has 2.6 billion users in total), I would say the US is represented exactly as expected.
(comment deleted)
I have noticed an uptick in the number of scam calls and texts I've been receiving over the last few days. No surprise that my number was included in this dataset.
As a Syrian who have used many throw-away accounts on FB, this is a life or death matter for many of us. I'm sure the Syrian regime will use this information to track activists. I have checked and there are 7 million leaked accounts from Syria, probably covers everyone who uses Facebook in the country. Facebook made it mandatory to provide the phone number and now that this is leaked, they bear the moral responsibility for all the people who will be affected by this.
I'm really sorry for the situation you're in but,

> they bear the moral responsibility for all the people who will be affected by this

Facebook should not be held responsible for dictatorships and totalitarian regimes killing people - even if they use Facebook's leaked data to do so. It's quite unfortunate, but the responsible party to blame is still the people actually doing the killing.

What’s the legal recourse for users who have had their numbers leaked? Any group action possible?

Could the US or EU fine them as well?

Getting to the point where we’re going to need phone, email, and SMS to be deny all by default. Can’t reach me unless you’re information is already in my contacts.
I get a lot of value out of being reachable by people I do not yet know.
As do I. This is a difficult problem to solve especially as the signal to noise becomes worse as abuse becomes more common.

Ive had to wildcard block my area code (since I don't live there anymore) which captures 95% of my daily spam calls - but people can still leave a message to break through my wall if it's truly urgent. I don't see how this could work with SMS.

Even message requests on facebook/messenger have problems where you are unlikely to even see the request unless you check regularly.

No one said it had to be by force.
Maybe I misunderstood your use of the "we" in "we're".
I found a novel solution by accident to this. I moved to a new area but kept my old number. 99% of my spam calls are from my phone’s area code. If you are not a contact and a number comes up from that area code, it is spam. If it is my new area code, it is a person or business trying to reach me.

You could likely get a far off area coded number.

Yea ignoring unknown numbers from my home state is fairly effective at blocking spam calls.
Same (though "I moved to a new area" happened in 2004). At this point I've just blocked the entire old area code and neighboring ones, aside from existing contacts.
Found the guy who bought the extended warranty for his car
No, I have never bought an extended warranty. However, I did today make good money on a business transaction because a stranger was able to reach me. I also had to delete some voicemails about extended warranties. This is a worthwhile tradeoff for me.
Possibly, but we can't do that either. What we need is some balance of both worlds. OOH, we do actually need to be contactable. OTOH, being too contactable means spam. I doubt there's a perfect balance, but either extreme come with too many problems.

Email has decent spam filtering, and I think that kind of cat-mouse system will persist. That said, there's "room" for more whitelisting.

The “Hey” email service toes the line well for me. I’d prefer all of my communications were based on a similar idea.
"I doubt there's a perfect balance, but either extreme come with too many problems."

In principle, "pay me a small fee if you're not on my list, if I put you on my list now it's free" would work well (optionally refund someone who contacts you out of the blue that you approve of), but there's a lot of both engineering and social details between where we are now and such a system.

It doesn't take much cost friction to deter mass spamming. I don't think much problem would be left behind from the handful of overconfident spammers who think that they can bust the odds and it's worth 25 cents a message or something.

Sounds like a good idea on which to base an ISP startup.

"Anyone not on your contact list will take $1 off your monthly bill for each phone call, SMS, or eMail they send to you (through our phone line & email servers)"

This is one of those ideas that appeals to economists and nerds, but rarely works out irl.

Artificially or intentionally aligning interests tends to be a "genie, make me a sandwich^" problem. There are lots of places where "reversing the charges," seems good in theory... but it never happens.

Anyway, linkedin have something like this. In practice, it feels like a better quality of spam, rather than a solution to spam.

^Poof. you are now a sandwich.

My phone number (and some other details) were part of Nano Ledger's database that got stolen last year. So, some entrepreneurial scammer started calling me on a daily basis a few months ago. Really annoying. I'm well aware my phone number and email addresses are pretty much public information at this point. I actually put that on my web site even. But stuff like this makes me even less likely to answer unknown numbers. Hilariously, the scammer actually called me while I was giving a security briefing to our company about enabling 2FA. I put him on speaker and we had a good laugh while the guy insisted in broken English laced with expletives that he "had my money".

A few months ago some criminals social engineered themselves past my bank's security as well. The first I learned about this was a funny conversation (by phone!) from an actual Deutsche Bank employee asking me if I recently changed my address and phone number and whether I opened ten new accounts. "eh no?!..." Basically their fraud detection system kicked in before these people did any damage. I made a point of not doing anything else than confirming information they already knew (like my old address, email address) and asked for an on site meeting to discuss things in more detail. I realized instantly I had no way of verifying anything I was being told on the phone and might very well be talking to a scammer. As it turns out this was for real and the person actually managed to find my "old phone number" in some archive. Otherwise all my contact information had already been changed by the scammers. Thankfully I answered that call. Apparently, this happened to several people.

Basically, what happened was some persons just called the bank's help desk, asked them to reset my online banking access codes, and then somehow intercepted the pin codes (thanks Deutsche Post) before they reached me. The theory is that somehow the security of the distribution system was compromised. As far as I an tell, nobody broke into my building or mailbox. Then started they using them to change my address, etc. They got caught only when they created sub accounts and started transferring money.

So they really had your money then?
The phone scammer, no. Just some idiot trying to get me to do stuff I should not be doing. Given how he conducted himself on the phone, he probably does not have a great conversion rate. People that do this are not exactly criminal master minds. But I guess some people get bullied into handing over their private keys, which I assume is what he was after. He clearly had some setup that auto dials numbers. After this, he apparently removed me from that list. So, tip: annoy the hell out of them and waste their time as much as you can when this happens to you. Putting him no speaker got a few giggles out of the team.

The criminals that got into my account got too greedy. The bank's fraud detection system kicked in and rolled back the transactions. But at that point they had complete control over my account. Very scary. If they had been more subtle, they could have likely stolen quite a bit. So, also not criminal master minds probably.

I've been called twice by my bank to warn me of possible fraudulent activity. Both times I hung up on them and called back at the bank's own public customer service line and asked them if that was really them calling. Once it was and once it was not, so I'm glad I was that careful.
It's a hard problem to crack. Some legitimate places need to be able to call you without you knowing them ahead of time. Say your sibling was mugged in Mexico and the local little police station let them borrow the landline to call the only number they still remember without having to check their contacts in their phone. Are you not going to pick up?

There are a lot of these little edge-cases. Journalists, lawyers representing class action suits, government id expiring, and so on.

My iPhone is set to "Silence Unknown Callers." It's the perfect compromise. If a call is legitimate they'll leave a voicemail and I just call them back.
I discovered recently that my Verizon phone service’s voicemail had been full for several months. I’m not sure how I was ever supposed to discover that, but I ignored what turned out to be an important phone call and got burnt because I assumed I’d get a voicemail.
> Say your sibling was mugged in Mexico and the local little police station let them borrow the landline to call the only number they still remember without having to check their contacts in their phone. Are you not going to pick up?

Just wait for the deepfaked voice call scammers. Their best bet is to work up the hierarchy; a tiny local police station knows how to get in touch with a bigger police station that can contact an embassy, etc.

> There are a lot of these little edge-cases. Journalists, lawyers representing class action suits, government id expiring, and so on.

All of these use-cases allow someone to spend the time to contact you via your preferred contact method, whatever that might be.

I'm in my 30s and I can't think of a single time I have ever received a phone call that I didn't expect. I get several spam calls every day. I would make the trade (and recently have, I block all unknown numbers now).
I'm in my 30s and I can't think of a single time I have ever received a phone call that I didn't expect.

I've read that people not answering their phones is the number one reason that COVID contact tracing doesn't work.

But your comment makes me think that you've never had food delivered. Never used an Uber. Never owned a business. Never bought or sold real estate. Never rented a place to live. Never went to a restaurant with a wait list. Never done a lot of things that are perfectly ordinary, and require allowing people to contact you when they have questions.

Most delivery services with an app have messaging built-in so you don't need to rely on calls, but I also know when I'm expecting a delivery or a driver to pick me up, and if an unknown call comes from my area code (the one I'm actually in, not the one my phone number is in), I'll answer that. It's pretty easy to distinguish between times I might expect a call and all other times.

For all those other things, though, I'm not sure why you need to answer unknown numbers. I've never owned my own business, but did manage a small business and we had dedicated business lines. No one needed to call my personal phone. For buying and selling real estate, there are agents that act as go-betweens and you can put their number on your contacts list. For renting, put the management company on your contacts list.

Most delivery services with an app have messaging built-in so you don't need to rely on calls

I've used dozens and dozens of delivery companies over the years, and the only delivery company I've found that doesn't have its people calling on phones is DoorDash, and even that uses SMS. Plus, most of the best places don't use services, they have their own people.

we had dedicated business lines

Doesn't help you when someone needs to contact you in an emergency, like the alarm company, or the landlord, or security, or the police, thousand other things.

For buying and selling real estate, there are agents that act as go-betweens and you can put their number on your contacts list.

Sounds good in theory, but doesn't work in practice. There can be dozens and dozens of people and companies involved in such a transaction, and you can't predict who they all are.

For renting, put the management company on your contacts list.

When the management company sends a vendor over to fix something, you don't know what number they'll call from.

To "never" get an unexpected, important call sounds like a side effect of a quiet life. I envy you.

You're pretty much right on all of those. I do own a house (don't remember getting any calls, but that was a decade ago) and I do occasionally get food delivered (why would they call?). Otherwise you're right, I've never done any of those things.
All I can say is that I've had to make these calls myself and I was indeed quite happy when my family members picked up. It's hard to imagine it until it happens to you, but when you only have two phone numbers you have memorized and nothing else in your possession someone picking up is magic.

I know that we deserve something better than what we have now. I know we shouldn't have to put up with spammers calling constantly, but we don't live in a perfect world yet. We live in a messy world where sometimes people need to make a phone call and hope their loved ones pick up. I can think of a plethora of possible technical solutions, but that's besides the point. We need phone numbers to work. Let's focus on solving that problem, not trying to imagine it doesn't exist.

I do that already. Prevented e.g. Hult MBA from pitching their exquisite high-end educational services...
I already don’t accept any calls. The robocall stuff in the US is out of control.
I'm slightly surprised to find that my number has apparently not been pwned, given the huge uptick in spam calls that I've been receiving which seems to be coincident with the Facebook leak.
Not all phone numbers have finished uploading, check the blog post for details.
surprising that "Pakistan" isn't even on the list of countries. Anyone knows why?
Found my number on there too even though I've deleted Facebook for at least 5 or 6 years now -_- Not sure when I gave them my number either, I hope it wasn't scraped from someone else's contact list... At least it makes sense why I received a bunch of spam calls over the weekend.

Anyway it's probably good practice to recycle your number every few years, and not use it for 2FA to make switching numbers a lot easier. Who knows what services I'll be locked out of once I change, let's hope not too many.

I can’t imagine telling everyone I know that I’m changing my number every couple years, and I’m not even calling/messaging a lot of people nowadays. I have a family member who did something similar(not on purpose) and I still have 3 of her numbers and still get confused which is the working one.
I know exactly what you mean, there's only so many times you can append "New" on the end of a contact name!

A good chunk of people will probably communicate mostly on platforms like WhatsApp/Telegram/Discord/whatever that don't need numbers at all or facilitate switching of numbers without your contacts having to do anything. I don't think that will constitute anywhere near the majority of people across the world though, switching numbers will definitely be a pain for most.

I had a company phone about 6 or 7 years ago for a company I worked for at the time. When I was on my way out they unilaterally revoked my company-provided cellphone after convincing me I should get rid of my old private number for theirs.

I'll never do that again. It happened shortly after ditching social media and I just about all of my contact info and I haven't been in touch with some old friends because of that since then.

Even if you had the time to transfer your contacts, etc, something will inevitably get missed.

Hell, I've updated family and friends to an email address I've been using for closer to a decade and they still email the old one...

> At least it makes sense why I received a bunch of spam calls over the weekend.

Really?

Every phone number is already known to anyone who wants to get it.

I've had the same phone number for somewhere around 17 years. I kept this number even as I moved across the country (US).
I thought this was the norm. I've had the same number for 20 years now, though have moved through many different area codes since. But, I must be the odd one, because I get asked regularly why I have the area code I do, and the answer "because that's where I was living in 2001" doesn't seem satisfactory.
It's kinda nice living in a different area code from my phone. I know that if I get a call from 415, it's spam.
In my limited experience, I've had more phone spam plus wrong number calls right after changing phone numbers due to the number being recycled.
"Anyway it's probably good practice to recycle your number every few years, and not use it for 2FA to make switching numbers a lot easier."

Ironically Twilio of all places forced SMS 2FA on all accounts earlier this year.

As in, one day you could no longer log into your twilio account without giving them a phone number. You are locked out until you do.

Ironic in a few ways ...

First, twilio numbers are not mobile numbers - they are voip numbers - and cannot be used for most 2FA authentication services because they cannot receive messages from short codes. So it's ironic that twilio forces you to use a non-twilio number for their 2FA.

Second, many twilio use-cases (like mine) involve building a twilio infrastructure to replace my existing phones/numbers ... and now that is broken from the bottom up because I have to use a mobile phone with a fixed provider just to use twilio.

The bottom line is: none of this is for me or my safety and security. Twilio has a spam problem and that spam problem is very hard to solve. Forced pairings of physical phones and SIM cards is just a desperate way to throw sand in those gears to slow it down a little bit.

I have had a Twilio account for years, and have always used the proprietary MFA implementation from their Authy app. I don’t remember being forced to switch to SMS MFA.
I don't recall ever giving my phone number either and my number is detected by HIBP..