314 comments

[ 2.9 ms ] story [ 283 ms ] thread
Guess it's too hard to notify users that their information got leaked. I hope they reported to all the different institutions in Europe though. The article suggests they didn't even report it to the Ireland one!
They general guideline in the GDPR is 72 hours.

> In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Are you seriously claiming it's too hard? They could send out emails, Facebook messages or show some banner in the profile page.

This is Facebook ffs, they almost have a monopoly on communication.

Not our parent claims it's too hard to find the users affected by that breach, Facebook does. Curiously. Quote from the source article:

> The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified.

Did they not see the user ids in the leak? Just do facebook.com/user_id and you got the person...
> too hard to notify users

Legally seen.

The way privacy protection laws are, especially in Germany, is kinda stupid. On one side they often doesn't protect you in practice, on the other side they effectively hinder and sometimes prevent reasonable usage.

Just a view examples:

- A local government couldn't properly inform elder people that they now can get Vaccinated for free because the interplay of various privacy protection law (and stupidity/inflexibility in other areas tbh.).

- Germany has a privacy respecting anonymized blutooth based contact tracing app (wrt. Covid). But if you do a test you first have to physical sign of that other people are anonymized informed that someone they likely had contact with has covid, then when you get the result you still need to agree again to share this information. And even this was only possible after changing regulations. (I.e. why is one initial agreement not good enough?)

- The government most likely not being able to inform the victims of such data breaches.

- ...

> But if you do a test you first have to physical sign of that other people are anonymized informed that someone they likely had contact with has covid

This is false. I've been tested about 15 times within the last year and none of the things I "signed" included any of that.

I didn't have to physically sign ANYTHING at all. What are you talking about?? It's just a click field on the online application and that only says that you're okay with your data being shared with the lab that also sends you your test results.

> then when you get the result you still need to agree again to share this information.

This is also absolutely untrue as Covid, among others, is on the list of illnesses that the local Gesundheitsamt has to be notified of. It's not even optional. It's the law. https://www.gesetze-im-internet.de/ifsg/__6.html

Honestly curious where you got that information from?

> I didn't have to physically sign ANYTHING at all. What are you talking about?? It's just a click field on the online application and that only says that you're okay with your data being shared with the lab that also sends you your test results.

If you did register a test with the covid app you had got had to sign something when doing the (not "fast"/PCR) test. If not something was legally not quite right. Also maybe in recent month this might also have been changed but it's unlikely..

> This is also absolutely untrue as Covid, among others, is on the list of illnesses that the local Gesundheitsamt has to be notified of. It's not even optional. It's the law. https://www.gesetze-im-internet.de/ifsg/__6.html

I'm speaking about the covid app, not the health agency, which yes gets reporting always but also (at least at the being of Covid) had a completely inefficient procedure which made the German health agencies in most German states at least at the middle unable to process it anywhere close in time. Like they collecting "people you had been in contact with" 3! weeks after you where found to have covid was not uncommon.

> Honestly curious where you got that information from?

People officially working on the developen of the covid app (there is a ccc talk). And various other sources which also overlap with personal experiences (like yes I personally had to give agreement on paper so that I could use the covid app).

Note that the physical confirmation is kinda hidden on a paper containing all kind of information, so meany people might not have been aware of it.

> Legally seen.

Its funny, one would expect them to include that as part of their terms of service or the list of things they officially use your private data for. But no, apparently the lawyers they hired fucked up while writing these in a way that favours Facebook. Its almost as if they weren't plain incompetent and instead paid to mess this up, just like Apples lawyers fucked up adapting the warranty terms for the EU market, etc. .

Hit them with a few billion dollars for having a brain dead moron in charge of user privacy, each day until that oversight is fixed.

What I mean is that it's hard for 3rd parties to legally contact people affected by the breach. And in this case 3rd parties includes the government.
I am surprised how the Facebook stock is pretty unaffected by all of this.
They are subsidized. Stock may not be best indication of the performance of the company.
That’s the problem with free ad-based media giants. For an individual, the deadly combination of the platform being large enough, free and closed (no APIs for feature-complete third-party cross-platform clients) means a huge barrier to switching over to a different social provider with better ethical, infosec and privacy track record—and all the while company’s interests are aligned with ones of the advertisers, the actual paying users. Stock performance, of course, reflects that.
It's priced in.

/s of course, but maybe people really don't care because FB has been in so many of these types of controversies?

I own some of their stock and I keep buying more. Reason: FB is doing a great job with advertising and they are not just Facebook but also Instagram and other things.
Counterpoint: Facebook is taking your invested money and doing terrible things with it. Why fund that?
If the world's corporations are taking us to Hell, I want a piece of the action.
It's from 2019 is the stupid excuse they have.

The amount of laxity they have shown in this matter is appalling!!

"The crime was already committed - what purpose does it serve to punish us for it now?"
If you change your DoB every year like I do, you'll be fine...
Assuming not sarcasm, how does that help? Do you do this for just Facebook or for multiple websites?
I use a random DoB for every website.

(The only exception is banks because it has to match what's on my ID and credit report)

You assumed incorrectly :)

I don't have an account, but I'm fairly sure Facebook doesn't let you edit it once you've given it.

I took the habit of treating the DOB like a password when asked by an entity that has no business knowing it. I give a random date and keep track of it in my password manager.
Zuck: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend's Name]: What? How'd you manage that one?

Zuck: People just submitted it.

Zuck: I don't know why.

Zuck: They "trust me"

Zuck: Dumb fucks.

> hellbannedguy: something dumb 17 years ago

Probably.

This huge leak has definitely killed the SMS text messaging service. Sender can be spoofed and spam/scam/phishing have reached an intolerable level. The fact that they can cross reference you and then produce a more personalized content is huge. Changing password is easy (ok less easy if you recycle it) but changing phone number is something that I am not even relaxed to do.
> Sender can be spoofed

Is this worldwide or US? I for now trust the senderid and assume them to be valid if they are coming from bank etc. I also haven't heard of anyone spoofing SMS. Should I be more cautious?

> Is this worldwide or US?

Worldwide. SMS is just like e-mail, you can put anything you want in the sender field. You should absolutely not trust SMS.

Any idea on the extra security measures? In Turkey for example, when you change your SIM card the 2FA from the banks will stop working and you need to call your bank to re-activate it. That of course seems like a measure to prevent SIM cloning but maybe there are some security protections against spoofing. In many places SMS is a popular way to do payments and 2FA for high security applications.
Where does SMS get used to do payments? (...and how?)

SMS for 2FA is known to be a very bad idea, and some security experts have been shouting about the need to stop doing that for a while.

I also can't see any country managing to implement more restrictions on SMS without either breaking a lot of "legitimate" sources of SMS or being ineffective outside of a very narrow window (e.g. only blocking forged SMS for numbers originating within one country)

> Where does SMS get used to do payments? (...and how?)

In India, for every card transaction, for every DMAT transaction, for every password/PIN change SMS is used as 2FA. It is also mandated to require SMS 2FA for every one of these cases.

If my bank has any means to use TOTP/Yubikey, it is absolutely not made obvious, led alone clear or even possible.

Okay, so SMS gets used as 2FA for all those things, not somehow a primary method of creating transactions, correct?

Unfortunately, quickly looking, [1] suggests at least one of the listed services for sending arbitrarily forged SMS messages explicitly works in India, so it seems like this is still true for you. :(

[1] - https://www.usethistip.com/5-websites-to-send-anonymous-or-f...

"Where?!" Everywhere. It's being phased out in many places, but as a rule of thumb, mostly everywhere still.

"known to be very bad ... been shouting ..." Right, yeah, to put it in some perspective remember that you're talking second factor here. This is not your login, this is a secondary confirmation and you still need some serious motivation to bypass it. It's definitely doable, I work in security and I know what kind of attacks you're thinking of, but it's not the opportunistic kind of thing that a common thief will do without technical research and planning it out. If you know how to do it, you can probably find better jobs than this. It also doesn't scale well because you can only use it on people whose bank login you've already cracked in the first place.

I'd never seen or heard of it being used for payments before, which is why I asked - I'd heard of phone numbers being used as account names (effectively) in some payment systems, but being involved in the workflow of making payments is entirely novel to me.

I'm aware it's not your login, but it feels the same as asking someone for publicly searchable information to "verify your identity" - an additional "security" step that doesn't actually slow down any attacker more dedicated than a passing whim, but makes people feel good about whoever is using it, when there are better options that don't have the problems of SMS.

Yes, it doesn't scale well to bulk attacking, but most of my interactions are with people who take reasonable precautions like keeping their machines patched, not installing random crap from the internet, and generally avoiding other fun ways people get swept up in low-hanging fruit campaigns.

SMS 2FA is better than no 2FA at all, it's just frustrating to watch many companies deploy it and go home when there are better options, some of which solely also require a phone.

edited to correct my statement: I originally said "SMS 2FA is better than no 2FA at all in a number of cases", but no, I'm pretty confident it's strictly better, even with all my laments about it.

What better options are there that have approximately the same ease of use?

SMS works with every conceivable phone, even most landlines if need be, users don't have to install a separate authenticator app, which may require a Google/iCloud password (now where did I put that post-it note?), that takes up space that may be scarce on low-end phones and that may not even be compatible with very old phones, leaving affected people in a really unsatisfactory spot.

Then they need to set up codes for every login, figure out how to switch back and forth between apps and how to copy codes, which is not very discoverable at least in Google Authenticator – most people seem to memorize and type instead, cumbersome.

Hardware tokens are even worse, people misplace those a lot and unless you are a bank with a mature process for issuing these, setup is probably even more of a hassle.

All of this may be big deal if you (also) target less technical people and want them to use your product when they have the option not to.

With SMS, all the user needs is a phone number. Pretty much everyone is familiar with that, most will readily share it, too. iOS will even extract codes and show them on top of the keyboard, just wait a second or two and tap the code, done. It's about as painless and frictionless as it can reasonably be, with apparently relatively inconsequential security drawbacks – given it's supposedly trivial to fake SMS, there don't seem to be a lot of people doing so at scale. Maybe a breach like this one will finally change that? Remains to be seen.

For now I can totally see why one might stick with SMS as a second factor.

> users don't have to install a separate authenticator app, which may require a Google/iCloud password

If they wish to use Apple then that is their own choice, but on Android it's quite trivial to download Red Hat's open source authenticator app[1] from f-droid (the website, you don't even have to install the store if you don't want that). It's quite bare bones on graphics and features, doing only what you need it to (the f-droid build is 0.5MB, frankly still large for what it does but consider that it's like half of a single photo).

And if people don't have a phone with support for apps, then you can still fall back to SMS. Doesn't mean you need to force everyone down to that level.

Fun fact: my grandpa can't use SMS either, your solution is not as universal as you make it seem. He never has been able to due to sight issues (it's not an age thing, though it doesn't help if you're close to illiterate and now need to start to learn how to use solutions for sight-impaired people due to this information age having onset). Does that mean we cannot support anything better than sending a letter, which is accessible to him as well? Can't we have the better solution as well as the accessible one?

[1] https://f-droid.org/en/packages/org.fedorahosted.freeotp/

> With SMS, all the user needs is a phone number.

No no, you got that backwards. All Facebook needs is your phone number, or whoever it is that pinky promises to only use your phone number for security. I get what you're saying about everyone having a phone number that you can identify them by, but that is also the issue: everyone has typically a very very limited amount of phone numbers (and typically linked to a government ID) whereas a throwaway email is easy to make and each TOTP code is throwaway by design. I think there's something to say for supporting this.

> If they wish to use Apple then that is their own choice, but on Android it's quite trivial to download Red Hat's open source authenticator app[1] from f-droid (the website, you don't even have to install the store if you don't want that).

That's even less intuitive than using the default app store. That's a whole new slew of concepts you need to grok (you can download an app from the web and install it without an app store; what is this fdroid thing? is this a virus? what do these dialogs mean?), plus training people to do this without also giving them the knowledge when and why this is safe isn't exactly helpful, but that's a lot to ask from a simple sign-up flow for a hypothetical niche app built by a hypothetical two-person team.

> And if people don't have a phone with support for apps, then you can still fall back to SMS.

You can, but that adds to the complexity and support burden and probably also costs you users due to sign up friction.

> Fun fact: my grandpa can't use SMS either, your solution is not as universal as you make it seem. He never has been able to due to sight issues (it's not an age thing, though it doesn't help if you're close to illiterate and now need to start to learn how to use solutions for sight-impaired people due to this information age having onset).

That's an interesting case. I'd like to think there would be a fallback for people like him, but I guess, in the vast majority of cases, he'd just be left out. The current state of inclusivity in tech is abysmal, though I've seen vision-impaired and deaf people get around their devices surprisingly well; it's still an embarrassment that this industry won't do better. It's hard to get this right when it should be hard to break this, but current frameworks and paradigms don't prioritize this. It's shameful IMO.

I do think SMS is a lot more accessible than authenticator apps and the like, even though that still will not work for everyone.

> Can't we have the better solution as well as the accessible one?

I'm not saying you can't or shouldn't offer the best solution you can. By all means give me Yubikey support and several fallbacks. But I can see quite well how not everyone might want or be able to.

> No no, you got that backwards. All Facebook needs is your phone number, or whoever it is that pinky promises to only use your phone number for security.

Facebook definitely should get rid of SMS factors. If anyone has the resources to do much better, it would be them and the other giants. Not sure how they handle that, though. They'd still collect phone numbers in any case, but they'd happily image people's internal organs if they could, so that is a separate issue.

Apart from that people seem to be quite happy to use their phone number for signup if it makes signup quicker and less annoying. Even if the primary flow is email and alternatives are hidden in another tab, phone number still tends to get used a lot, in my limited experience. Same with Facebook/Google login.

Plus, for most people ai guess it isn't as black and white; in quite a few cases I've given my phone number even if signing up via email, because it helps a lot if people can just call me in case of issues (e.g. the restaurant is out of my extra topping).

That said, I'm all for offering as much choice as possible, and I'm not happy with the inflationary use of phone numbers as the only way to sign up, and I'm all for Yubikey support in every app, and it's disappointing that OS/browser vendors don't make this easier and more convenient, and if anyone wants to let me have as many anonymous phone numbers as I need, I'm very interested.

But, still, I can totally see why a resource-strapped product/dev team might come to the conclusion that SMS second factors are sufficient for now.

> it's just frustrating to watch many companies deploy it and go home when there are better options

I do agree with you there. To be clear, while I think the problem is of a smaller magnitude, I do agree with your general point. Other alternatives like very simple TOTP tokens additionally don't require a phone number and so you don't have this stupid "add your phone number now, we'll use it only for security, pinky swear!" prompts.

Heck, there could even be an argument that SMS OTP is now illegal with GDPR unless the user gives explicit consent. You can't use user data (PII) if it's not with consent, for a legitimate purpose, to fulfill a contract, for the user's own good, to comply with law enforcement, and I'm probably forgetting one or two reasons. Now that it's clear that stuff like TOTP is a better alternative, there is no reason to process people's phone number anymore for this purpose, making it impossible for you to send that SMS OTP. (Of course, you'd have to convince a judge that TOTP is better than SMS before we actually get case law on this specific use of a phone number so... *mumbles something about nine-tenths of the law*.)

> Where does SMS get used to do payments? (...and how?)

Look up M-Pesa[1]. Which is a hugely successful, mobile phone based payment system in multiple countries.

In Kenya alone, where it started, it had 17Million subscribers. In 2011, that was.

[1] https://en.wikipedia.org/wiki/M-Pesa

Carriers can indeed expose APIs for banks and other third-parties to check if a SIM has recently been reissued, but that's a separate problem from spoofing.
Are there Android apps for that?
Hushsms is one, but requires Xposed Framework.
Does that let you spoof sender address on any phone? I was under the impression that you had to create an account with a SIP provide to do that.

(Btw a Google search for "Hushsms" results in shady/cancerous app stores that all seem to mirror each other. Where is the official website/thread?)

I'm absolutely no expert on this, but I think your provider would usually filter this spoofing attempt out, just like with IP spoofing. But if you're in the right spot in the network (e.g. your provider doesn't check for spoofing or you're your own "provider") you can do whatever you want.

Another problem with Android could be that the operating system might not have enough control over the SIM-Card/Modem to spoof phone numbers.

I have heard about people using some services to send/call from spoofed numbers though

Actually, I trust e-mail more than SMS. With e-mail at least you can look at the headers and if you know which part you can trust you can verify where it came from. With SMS there is no such possibility.
I'm pretty sure Italy requires a company to register to an official list before being able to put a personalized sender ID in your SMS communications. I'm not sure about the inner workings but seems far from "whatever you want".

I kinda assumed this was a widespread modus operandi, apparently it's not?

Absolutely do not trust the SMS sender name or message content in any country. SMS can be spoofed so easily anyone can do it.
We heavily use programmatic SMS sending at work. There are two options how it could appear on the recipient's end: as a normal phone number, to which you can reply,etc. We had to purchase a dedicated number for this. The other option is to simply put whatever sender ID you want- we use company name.This way you can't reply to the message,so we mainly use it for marketing purposes. Nothing stops me from replacing <company_name> with <random_number_belonging_to_bank>
Never trust caller ID or senderid on phone calls or SMS.

The reason is that phone companies interoperate grudgingly and do the minimum required to pass calls and messages between each other, and also most phone companies are 100+ year old companies who have just layered modern tech on top of their old stuff.

They handle a massive unending stream of calls/messages and they can't possibly validate each one (even if they wanted to), so when a call comes into your provider (mobile or land line) it comes with all the metadata fields (sender, etc) populated, and your provider just passes that along without any verification.

This was less of a problem with there was a reasonably limited number of phone companies (a few per country) and they were all large enterprises..

Now with the rise of Twilio and tons of other pay-as-you-go companies that can hook into the global phone network to send calls and messages, and MVNOs (virtual phone companies that sit on top of the incumbent ones), there are too many players to track and in the name of convenience (and cost-savings) we haven't kept up with the verification part of the chain.

>they can't possibly validate each one //

Why not?

They don't pass on all metadata, that's part of the problem. If a call originates in $foreign_country, the sender gets to spoof it as a local call (sometimes they even use your own phone number). Are you really telling me there's no way to tell the difference between an off-shore call and a local one. It seems if this were true that billing is impossible, yet somehow the origin gets billed (though admittedly that might only be the immediate upstream, but usually this will be enough to disambiguate a scam call).

Phone companies make money from scammers. It doesn't seem to be a technical bar, rather a financial disinclination that stops phone companies from robust action.

There are valid use cases for spoofing caller ID.

It’s been a long time since I dabbled with Asterisk (IP PBX), IIRC, by default the call forwarding/redirection function uses metadata from the original incoming call. Let’s say, you’ve programmed your PBX that after 30 seconds of incoming call ringing, you want to redirect/forward the call (that is to make a new leg, and then connect them together) to your mobile phone number. I’m pretty sure, on your mobile phone you’d want to see the original caller’s number for incoming call, not the PBX’s phone number.

Major telcos are anywhere from 70 to 100-year-old companies generally speaking. Most of them are the result of haphazard mergers between many many local phone companies over their existence, so even internally they are often held together rather precariously.

I'll give you one simple example of the magnitude of this. In Ontario & Quebec, Canada, in the 1920s, there were almost 800 local phone companies operating, and "The Bell Telephone Company of Canada" was the long-distance provider that connected all those companies together. Even back then they handled almost 3M long distance calls per day (from roughly ~500,000 phones).

Over time, Bell bought up all those local independent companies and merged their records, customers, infrastructure, operations, etc..

That's Ontario and Quebec only, 2 provinces out of 10.

Fast forward like 60 years and in Canada local/regional phone companies in various parts of the country were still a thing in the early 1980s, and even now we still have distinct phone companies for some of our provinces.

And this is just one country that has less than 40M people. Now repeat this process in the US, and other parts of the world, going back almost a century, and you can start to understand the complexity we're dealing with here.

The insanity of these merged and glued-together tech stacks would make most people faint.

Obviously they're not all still running on super old tech, but if you look at any major incumbent telco's DCs you will commonly find switching systems from as far back as the 1960s that have been wrapped in layer after layer of "modernization" but are still there routing calls and running old code.

I know you believe what you are saying is "simple enough", and it probably should be, but sadly it's not.

And while you're right to say it's a cost thing, it is also a technical problem in that it would require massive coordination both internally within telcos but also between companies that are competitors to each other, and aren't naturally inclined to work together in the first place.

We have STIR/SHAKEN but the phone companies are dragging their feet on implementing it.
Yes STIR/SHAKEN is supposed to be in place in like 3 months...

I'm curious to see if it rolls out as smoothly as we hope.

This is probably overkill to say but to be sure:

Never trust any information from SMS, or from a telephone call (or email) - both SMS and CallerID can both be trivially spoofed, and frequently are.

If they have e.g. found out what bank you use, they can make the number look like it came from your bank ("See, this number is listed on the back of your card" is a common approach)

If you get a call or SMS requiring followup, then look/ask for a reference number and a publicly listed number you can call back on - _and verify this number is listed on the organisation website before calling_, ideally on a telephone you know they can't "hold the line open" on (less of a problem now people mostly don't have landlines). It's okay to "engage" with a caller as long as you are careful to not give up any personal information - especially in cases where it's a bank they should be fine with you refusing security until you can call back.

Don't ever relay information between channels e.g. if you _think_ you are talking to the bank, don't relay the contents of a 2-factor SMS you get, even if they say they are "sending" one to you. There have been cases where scammers have called the bank at the same time as calling the mark, so that when the scamee called the bank on a different line the bank verified that "they" were on another line.

In reflection, it's kind of crazy the things you have to be suspicious/paranoid and aware of, I'm not surprised that even competent/intelligent people get scammed, it often seems that the infrastructure that we rely on for trust is even flimsier than you could imagine.

Probably there are more extreme cases where these general rules aren't enough but probably unless you are a big CEO or something you are below the targeting threshold (see e.g. https://nakedsecurity.sophos.com/2019/09/05/scammers-deepfak... which will probably only become easier over time). A healthy skepticism about complicated workflows is probably helpful.

Facebook didn't even change user Ids. You can look up those people accounts to find even more information. It is crazy they got away with it.
Could someone elaborate on what the worst-case exploit would be for those number that got leaked? How would a scenario look like? Asking for a friend whose number got exposed...
What some spammers do in my country for example, is call old people and pretend their (grand/)children were involved in an accident and ask for money for quick interventions (the hospital is out of funds, bla bla). It's sometimes hit or miss cause the person might be next to them, or they just talked, or sometimes they can't figure out if you have a daughter or a son etc.

With a correlated leak like this, it's super easy for me to find your profile, see who you are, what you look like, even from just your profile picture I could potentially see you have a daughter yourself, so I can target your mother that something happened to her granddaughter and you, which would make her pay up even faster possibly.

It's still going to be a scam message, but they can use your Facebook ID to see everything public on your profile now, as well as the other fields in the leak like full name, location, bio, birthday. So whatever the most convincing scam message somebody can come up with is combining all of that data. Off the top of my head, "happy birthday here's a gift from us" messages from companies leading to phishing pages and personalised fake register to vote pages relating to upcoming elections in your area.

It's not really new data, it's just scam SMS I've received in the past has never shown any sign of knowing anything other than my phone number. Now you can buy phone numbers and pull personalisation data unrestricted from your copy of Facebook's database for each of them. I'm sure sophisticated scammers already were, but now everyone will.

Birthday is a form of identity verification too, for password reset.
None of the birthdays I enter are real. :P
and no one should put real birthday lol. Birthday is mostly used for targeting ads.

This is why facebook can say to advertisers, "We mostly have young people using our service. So please put your money on our company"

And yes using account of 60-70 year old always receives less ads :D

They have to be consistent, yes? If I enter 6/7/1989 everywhere they just have to get it once.
I use different ones for each account and write them down like passwords if it somehow ends up being a hint for password recovery etc.
If your phone is your 2fa, someone uses this data to target you for a sim-swap to take over your phone, and then uses it to take over high value accounts.
My university is known to offer the option payment of tuition through a popular online system. This option is done by sending each student, at the start of the year, an SMS with a link to a payment option.

Suppose you can get a list of people studying there, their names, and their phone-numbers. Faking this SMS and putting a payment that goes to you instead of uni would be a nice way to earn about 2000 euros per student who falls for it.

> My university is known to offer the option payment of tuition through a popular online system. This option is done by sending each student, at the start of the year, an SMS with a link to a payment option.

They don't email this information? They don't put it on an online notification system? I have no idea why SMS seems like the logical option for this.

Kids are more likely to text, less likely to email these days. I can understand why they’d use SMS for their target demographic.

That doesn’t justify the security implications of doing this...

Do kids still text or is that a generation or two removed from the current iMessages/WhatsApp/Signal/WhateverComesAfterSignalBecauseImOldAndDontKnow?
I'm sure they'd prefer to receive notifications from their university on WhateverComesAfterSignalBecauseImOldAndDontKnow, but I imagine that SMS is the 2nd best thing (and probably still generates eye-rolling about the university being old fashioned).
But then you're stuck logging into the payment portal and filling out the form information with your phone, which is my own personal hell.
Oh, I'm with you. I'd much prefer to pull this up on a real computer so I can efficiently fill things in. I've adapted to typing on glass with my thumbs, but I'm not very good at it.
I do not know why they do this. I really wish they would stop.

I have considered faking the SMS message, with the payment link saying "imagine this wasn't a warning message but an actual payment request, please tell the university this is unsafe". But sending that kind of mass SMS is not easy, nor is finding the correct phone numbers.

The email option is arguably an easier (cheaper) attack vector than the SMS messages would be.
Yeah, I thought of that after I wrote it. Send it to all the university accounts you can get your hand on, see who you catch. It's probably just personal preference showing through as well, as I wouldn't be comfortable paying with my phone. I also have no idea how people substitute their PC with an iPad or phone. Much harder to fill out a page of fields and navigate around, and I'm sure that Google Pay won't support $15,000 payments.
Can anyone on HN please explain why, why, WHY are we still using SMS/telephony which has exactly 0 encryption wh---I guess that's the reason?

It's insane. I've heard banks using SMS!!!! To send a code. We have TOTP for that! Or even perhaps a push notification or something better than bloody SMS.

I refuse to use the networking system altogether. No phones, no calls. Of course you do 'need' a number so I keep one handy, but I haven't read a text or made a phone call in a long while.

It needs to die. NOW. Outlaw SMS!

I don't know anything about the technical details with this, but I wonder why mobile service providers don't just kill off regular SMS and calling, and start providing service exclusively through data connections? The infrastructure for that old stuff can't be free for them, there must be some significant costs associated with it.

Maybe Starlink will be able to provide a mobile phone service that only offers a data connection one day, and that will be the "disruption" the mobile industry needs.

As far as I know, newer cell phone standards only define how to transmit data. Phone calls are simply layered on top of that.
It's because SMS works without data.

I doubt that most of the people that complain about SMS live in rural areas. It seems to be more of a US thing. The country is so large that unless you live in a city you just won't be able to get data reliably. This leaves SMS as the only form of phone communication that isn't a voice call.

Agree, SMS just work, everywhere and always, with every mobile phone.
It's simple, it works with the dumbest of mobile devices, and people understand it.

Even installing and using a TOTP app, and configuring it to work with an online login, is a hurdle that a non-negligible number of users cannot pass.

It's better than nothing.

> I've heard banks using SMS!!!!

It sounds like you're incredulous that even banks are being insecure, but history has shown that you can expect banks to be roughly last in terms of competent and secure IT. I trust my Walmart.com account info to be safer than my bank info.

  > This huge leak has definitely killed the
  > SMS text messaging service.
So with this breach, one now must use WhatsApp for messaging contacts? That is rather convenient for Facebook.

As someone who has much friction already convincing people to use SMS with me instead of the WhatsApp account that I've never had (nor a Facebook account), making SMS even more problematic is great for Facebook. Many people assume bad intentions or some other undesirable status when telling them that I don't have WhatsApp and that I'm not willing to install it.

The reason that Whatsapp massively took off in certain parts of the world, and to an extent even replaced the public-telephone system (e.g. restaurants and other local businesses may even want to be contacted by Whatsapp, not phone), is because SMS is expensive, but data is not. Sure, you might be in a part of the world where SMS is a viable option, but for many people it no longer is, and instead of asking for SMS you might suggest an alternative like Telegram or Signal.
I've been trying to get people to use Telegram for years. For whatever reason, everybody wants to hear why Telegram is acceptable to me but WhatsApp is not, but they are not patient enough to even try to digest the answer in the majority of cases. And people will install any privacy-invading games or icon packs with no problem, but not another instant messenger. I have no idea what is behind this phenomenon.
If you think it is important to notify the victims, why don’t you do it yourself? You have their contact info!
That'd be a punishable offense. No, literally.
That's is for Facebook in EU, I hope.
(comment deleted)
Zuckerberg is probably right in this one. Whatever fines might come out in the EU around this will be nothing compared to the cost of loosing the customers they notify and the cost of notifying them.
"Right" to keep FB valuation, but that doesn't mean legally/morally/ethically right.

I'd say Zuckerberg is in the wrong, but I also understand why he made the decision.

> Zuckerberg is probably right in this one.

Yes, for protecting his own interests. Users are just like cattle, playing farming simulations, feeding cattle.

They needn't to know what's happening in real life.

> Whatever fines might come out in the EU around this will be nothing compared to the cost of loosing the customers they notify and the cost of notifying them.

There is no mention of GDPR in the article, but in the worst case of not notifying _at all_, the GDPR fine should be $3.5B (4% of their global revenue). Is this quantity insignificant enough for them to ignore? (not rhetorical, i have no idea how much capital they are happy to burn).

> Zuckerberg is probably right in this one.

Right from an economic perspective perhaps, but not an ethical one...

EU legal system will not allow a company to trade infringement for a fine.

If they had to do something, they will get a fine and they will be forced to do it anyway by the court.

If they don't comply with court orders they will be fined separately with an accumulating sum until they do.

Utile the does the EU does notify them, which would be really funny tbh.

Just imagine getting a SMS (chain):

> You phone number and some of your data (<listed>) had been involved into a Facebook data breach. While Facebook is required by <insert law> to inform you about this breach they insists of not complying with the law and keeping they users in the dark. As such we <insert EU/local government agency> decided to do so. More information can be found here: <link to official EU site + link to local government sites with official translations>

Of course a government body would never actually do this. Isn't it more likely a concerned citizen would?
Good idea, I’ll just pop on my SMS machine issued to all concerned citizens and crank out half a billion messages.
Well I guess no one wants to pay for sending millions of text messages. Also, there might be problems regarding the DSGVO since you can't just text a large amount of people without their permission.
EU will not notify them, since EU doesn't have technical tools and legal framework to do it.

If DPA finds Facebook in breach of GDPR they will be ordered to do it with additional fines for non complying.

Art. 58 GDPR Powers point 2:

> Each supervisory authority shall have all of the following corrective powers:

> (e) to order the controller to communicate a personal data breach to the data subject;

> (f) to impose a temporary or definitive limitation including a ban on processing;

> (i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

If FB still refuse, it will end up in the court.

If the courts agree with DPA, then FB will be ordered by the courts as well.

Courts can choose their way to force companies to comply with their orders.

Literally anyone with a fist of dollars and minimal dev knowledge access can parse those leaked numbers, send mass text via API and damage facebook even more than they would damage themselves.
It does not mean that EU can or wants to do it.

Actually, the processing of this data itself is probably a breach of GDPR.

Yes it won't happen due to legal reasons, but I would love it to happen anyway.

Technically it's not a problem, it's kinda easy to filter phone numbers by country and (less reliable) by carrier. Then you either can use country local SMS gateways or potentially give it to the carrier in question and let them do it.

Again the problem is the legal basis.

Preferably a change of law should:

- make it legal for the goverment to do the contacting, including by passing it to the carrier associated with the number

- require carriers to send the massage (to avoid auto matic SMS spam detection problems). Through you give them some (small!) amount of money for their (lets be honest) small amount of additional work.

Then we need to reform the law to impose bigger fines or other tools that dissuade FB not notifying the users
I would advocate not only for fines, but companies should be required to pay compensation to people affected by the leak. To the extent that if someone address got compromised, Facebook would be required to relocate that person / family to a new address of comparable standard.
> compared to the cost of loosing the customers

Given everything else FB has done to hose its users, I don't think this is the last straw.

This is one of the best cases to see if GDPR truly works in Europe
It's kind of an edge case since the breach happened before GDPR enforcement started.
GDPR was enforceable from 25th May 2018. Leak dates to 2019 from the news sources I've seen.
I could've sworn it became enforceable later but apparently I've lost all sense of time.
We all have this year :)
Why notifiy? Victims got notified everyday with many spam-sms. Thanks Facebook!
Because I would really like to know if I'm affected. According to "Have I Been Pwned" my phone number is not in the list, but about one or two weeks ago I noticed that my spam folder was unusually full, which led me to believe that something new must have happened. Shortly thereafter Facebook's leak hit the news.

From my point of view it is their obligation to notify all the affected users. It's morally the right thing to do, and legally, well, I don't know, but maybe the GDPR says that yes, that it's their obligation to do so.

And with notification I mean to send a notification email, since I haven't logged in for months and don't intend to this year.

The leak did not include email addresses, so your email spam issue is unrelated.
It did include email addresses in some cases, just not all of them.
According to haveibeenpwned.com

> whilst each record included phone, only 2.5 million contained an email address

Newer Android versions have an SMS spam folder as well, they might have been talking about that.
That's not true, many of the accounts did have email addresses.
The only email addresses in the leak are of those who have specifically set their email address to be public on their facebook profile.
Just assume the answer is yes. If you are active online at all, you're in a breach somewhere. In fact, you are likely in a breach even if you are not active online (in a state/federal government data breach for example)
My understanding is they are wilfully violating Australian law too, not just the GDPR. I wonder how various countries will react?
I hope the fines are enough for them to ensure this doesn't happen again. Personally I don't have a Facebook account because I don't trust them anyway but I think the people who have one probably didn't want this to happen.
The "real names" myth was the biggest scam played against people in the past 15 years. The media are also wholesale responsible for perpetuating that damaging trend. Historians of the future will look at the past 2 decades with disbelief.
What's the 'real names' myth?
The idea that using your state-given name online is beneficial.
What is a state-given name?
The thing on your birth certificate.
Presumably your birth name given to you by your parents. Describing it as "state given" seems intentionally misleading...
It should be called "state-recognized".

The state does not give you name, but it registers it and uses it to recognize you in various situations. Usually the name is not enough to identify a person (and fun/disaster ensues when this is attempted) so, usually, more information is needed to identify a person.

Yeah, it’s fine to have some public facing content online, but the first thing a child used to learn before going online was to never use your real name and to never give out any personal information like your address and telephone number. At least that’s how it was where I grew up.

I remember when Facebook launched I had a visceral reaction after seeing all the content being shared out in the open. My dad didn’t even want our phone number in the phonebook, and now I saw everyone else sharing every detail of their identity online.

I started using my real name online when I realised it was better than things that I control come up when you search for my name, rather than whatever someone else posted online with my name next to it.
My first online social experience was Usenet in the 1980s. It was very common for people to use their real names (though certainly not everyone did). My university encouraged real names, the rationale was that if you use your real name you will be more courteous, and only say things that you would want to be associated with. It's much easier to troll and engage in flamewars and generally be an asshole if you do it anonymously.
Scam? That assumes deliberately misleading people for the scammer to benefit. Who exactly is benefiting from this?

While I don't agree that it's obvious even now that that using real names is damaging (i.e. makes things worse than anonymity/pseudonymity) the assumption that it's a scam goes 100% against Hanlon's razor.

It's pretty easy to claim that using real names online does more harm than good when pointing at a data leak but we should also consider the opportunity costs, the outcome of the alternative scenario. I'd say that all the fake and troll profiles show that anonymity makes people behave in a way that's damaging to online communication (and hence is a lot, maybe most communication is online these days, all communication). You can say that fake profiles are there anyway, which is true, but it still doesn't mean that everyone going anonymous wouldn't be a lot worse. So at best it's an undecided question as opposed to being a deliberate scam.

> Who exactly is benefiting from this?

Facebook.

Oh, I wasn't aware that the GP comment suggested that it's something invented by FB. Anyway, how is it a scam and how is FB benefiting from the real names? Especially at the expense of the people? Another commenter above said that they think the real names were the main selling point of FB. Maybe. But then it's not a scam by definition (as FB is a very popular product and if the real names made it to be that, then that's what the people wanted most).
Real names were facebooks selling point. 'Join in, all the friends you know by name are here, upload your entire phonebook to us, look everyone's doing it'. Facebook's quick growth made billions and billions to some of people
I'm not sure that was the selling point but that doesn't make it a scam, right? Especially because if it did work as a selling point it means that people were also benefiting, so it couldn't really have been a scam.
Isn't it just scraped public data? Calling it a leak for data that's public seems odd.
The data isn’t public. It’s based on the friend finding feature. If you fill a contact list with phone numbers Facebook will automatically suggest the person with that number as your friend. So if you make a contact list with all possible phone numbers, you can know who they belong to.
I suppose a well meaning spammer could just SMS everyone pretending to be Facebook.
Let me just drop a note here that I happen to have two "unlimited" SMS subscriptions (i.e. could at least notify a few thousand people) in different European countries and that contact info is in my profile in case anyone has... ideas... :-)
(comment deleted)
Can't edit anymore, but this was not exactly an invitation to email me names and phone numbers to text. I don't know the legal implications of sending mass unsolicited messages to people whose phone number I obtained through downloading questionable data.

If you really want to warn people and you have a plausible explanation for the legal basis on which we're doing this, then I would definitely be able to contribute resources to your cause.

But also, frankly, they put this info there and configured it to be public themselves. Doesn't mean they don't need to be warned about this misconfiguration, but it's quite different from if there had been a data leak caused by facebook that facebook isn't telling the users about. I don't feel the need to drop what I'm doing and spend a couple days looking into the legal status, coming up with a good narrative / what to text them, gathering other people, figuring out how a regular human being can send hundreds of text messages without doing custom app development (if avoidable), dealing with the aftermath...

TL;DR: if you cleared the list of todos in the previous sentence, then my resources you shall have.

This is probably illegal in Europe. They have 72h to notify their users after noticing a breach according to GDPR's article 33: https://gdpr-info.eu/art-33-gdpr/

Edit: My bad, only notify the authorities.

Except they're not claiming 'breach' they're claiming 'scraping'. Not sure semantic acrobatics is going to fly with the regulator however.
They claim “scraping” in contexts where it benefits them to use that term (requirement to notify users) and “exploited vulnerability” when it benefits them in other contexts (answering to why private personal info was found online). Sometimes they even claim both in the same sentence:

> A Facebook spokesperson told Insider that the data had been scraped because of a vulnerability that the company patched in 2019

They absolutely can’t have this both ways.

> Notification of a personal data breach to the supervisory authority.

Not users. FB had probably done that already.

Notification to users is required by article 34, not 33: https://gdpr-info.eu/art-34-gdpr/

There is no 72h requirement, but "the controller shall communicate the personal data breach to the data subject without undue delay"

"The Facebook spokesman said the social media company *was not confident it had full visibility on which users would need to be notified*."

@Facebook here you go: https://haveibeenpwned.com

If Facebook has since deleted some of those accounts or associated phone numbers, they may no longer have a way to contact those users.

The GDPR in Europe would require them to delete that data in a bunch of circumstances.

The beach has phone numbers and emails- why wouldn't they be able to contact those users with that information?
Facebook can't use the breach itself to contact users, no. The data could have been tampered with, and besides, Facebook doesn't have permission to process the leaked data in that way.
If they find a match against the leaked data, that would validate it and prove it had not been tampered with and at least allow them to contact a subset of users. Why can't they do that at least?
They can do that. They probably won't because they'll argue it's all part of peoples public profiles and therefore published information rather than private information.
That distinction doesn’t matter for the GDPR. Publicly available information can be personal data, even if the entire world knows about it.
A company that employs dozes of data scientists and has petabytes of data is now supposedly unable to compare and match two datasets? Come on, this is beyond ridiculous.
Clearly they technically can. It's that the GDPR doesn't allow it.

Think about it... If you asked a company to delete your data, are you giving them permission to go refind that data on the dark web, cross reference it with records they should have deleted, and use it to send you email? Clearly not.

I doubt Facebook gives a shit about the GDPR
If GDPR prevents people from being notified that their data was breached, then the GDPR needs revision.
GDPR mandates notifying affected users, so there's no reason to change it.

Unfortunately there's a lot a misinformation around GDPR spreading online.

The post I was replying to was claiming the GDPR prevented it. If that is incorrect, then so be it. I'm American, so it largely doesn't directly affect me.
> It's that the GDPR doesn't allow it.

Source? Nothing prevents Facebook from making a public announcement that anyone that had an account on Facebook between dates X and Y might have been affected.

(comment deleted)
Can you clarify what you're talking about? I do not believe that GDPR regulations prevent Facebook from notifying their users about a data breach.

I mean, GDPR is a joke but that would be absolutely nonsensical.

> If Facebook has since deleted some of those accounts or associated phone numbers, they may no longer have a way to contact those users

That would totally defy logic.

I don't think that Facebook deletes anything ever.

I deleted my account a few months ago and was pleasantly surprised to find that it didn't surface in the breach. It could just be hiding in a different datastore of course, but it's definitely more fucks than I thought they gave.
Same here, deleted about 6 months ago. Was just as surprised.
The leak is from 2019 though
Oh interesting; I thought I read somewhere it was recent.
I don't know that this follows, given that the prior probability that your info was leaked is pretty low. "Only" 20% of global accounts' info were leaked, and only 13% of US accts
well i deleted mine in october 2019 and i’m in.....
Because they might have deleted some of the accounts they no longer have an obligation to notify the rest that they haven't deleted?
While this may be true, this doesn’t have to be an all-or-nothing thing.
It isn't true, that was the point of my question. They could (and must) notify the ones they still have data about.
The way your comment is structured, it is not obvious that it is a question.

> They could (and must) notify the ones they still have data about.

I agree strongly. For what it's worth, this is absolutely not what I took away from your other comment.

The question mark at the end of their original comment is a strong indicator that it is indeed a question.
> Because they might have deleted some of the accounts they no longer have an obligation to notify the rest that they haven't deleted?

The sentence structure is a strong indicator that this is something other than a question.

This could easily be interpreted as:

"They no longer have an obligation to notify the rest, because they might have deleted some of the accounts...duh"

The commenter's clarification removed the ambiguity, but let's not pretend the original statement was crystal clear. I think the difficulty interpreting the comment is also partially a result of just how passive-aggressive many comment threads have become. After clarification, I understand the original intent. Without that clarification, there are two interpretations.

A different way to say this would be:

> "Are you saying they no longer have an obligation to notify the rest just because some of the accounts might have been deleted?"

Have another up of coffee, the data is in the leak.
More than a year in and people still don't understand GDPR....
I think Facebook (rightfully, IMO) would argue the existence of that data dump is no proof that data came from Facebook’s servers.

They can’t assume that, or trolls or unscrupulous competitors would start creating ‘Facebook’ data dumps left and right.

I do wonder what EU regulators will say about their viewpoint that they do not have to inform their users, though.

If they can't measure the scope of the breach they must notify all customers that they might have been affected.
One well-known company I worked had a data breach published online and reported on. I know people on the accounts team and security team and have seen the code for how passwords are hardened. No one internally who knew those systems thought it was a breach; it was more likely people reusing credentials that were breached elsewhere.
While I get what you mean, data has the profile links too. Matching the data to real facebook profiles would be near? impossible if the source was not Facebook.
>I think Facebook (rightfully, IMO) would argue the existence of that data dump is no proof that data came from Facebook’s servers.

Mark Zuckerbergs phone number was in the dataset. It came from Facebook.

It probably came from Facebook, but that doesn’t follow from the fact that Zuckerberg’s phone number is in the dump. I don’t see how, even before this dump was made public, Facebook could have been the only entity in the world to know that phone number.
I use yourdomain@mydomain to sign up for accounts. name@mydomain is something I try to only give to friends.

According to that site, my personal email has been leaked by Adobe, and by a bunch of shady database firms I've never heard of.

(On further reflection, I probably used my Google account to log into Adobe, which leaks my personal email to the site I'm logging into.)

Most of those shady databases are data collectors. Sometimes I see those on domain wide reports for names even if the user never actually had that email address. Sometimes it's just a guess.

Ex: You might see joe@mycompany.com in the report for those db, even though Joe Smith only ever had joe.smith@mycompany.com.

And sometimes its legit scum collection. Some of the spam you get is just verify what email addresses work and what don't. If it doesn't bounce, you know you got a valid email address. Works for a lot of businesses (but not if you've got a personal catchall)

For years companies have been steadily asking, mandating or even trickling users to give them their phone numbers under the excuse of security (while the real reasons were different), now what?

How can they be trusted anymore?

This also strikes a great point about the data sharing between Facebook and WhatsApp. Linking data between services augments the dangers and the consequences are not obvious to the end user.

I think Facebook should offer their users the option to remove their phone numbers with a real deletion.

>How can they be trusted anymore?

They never could be.

zuckerberg's infamous "dumb f**ks" quote comes to mind.
Zuck: Yeah so if you ever need info about anyone at Harvard

Zuck: Just ask

Zuck: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend's Name]: What? How'd you manage that one?

Zuck: People just submitted it.

Zuck: I don't know why.

Zuck: They "trust me"

Zuck: Dumb fucks

Instant messages sent by Zuckerberg during Facebook's early days, reported by Business Insider (May 13, 2010): https://www.businessinsider.com/well-these-new-zuckerberg-im...

Given the number of times this quote has been dutifully typed in this thread, HN finally found its narwhal to bacon at data breach, it seems. It’s interesting to watch the competition between those flagging it off the site and those repeating it, apparently unaware it’s been flagged and removed already.
Obligatory:

"People just submitted it. I don't know why. They 'trust me'. Dumb fucks." -Mark Zuckerberg

>For years companies have been steadily asking, mandating or even trickling users to give them their phone numbers under the excuse of security (while the real reasons were different), now what? >How can they be trusted anymore?

I don't know if they can. I had specific conversations about things life preferring TOTP to phone in internship and job interviews, but I struggled to land the prestigious roles others did, though people I've spoken with informally certainly like to parrot key phrases I liked to use when we'd socialize at conferences.

What does the last sentence have to do with trust?
Certainly I cannot be the only one who finds phone numbers, email addresses, and many other things quite inconsequential compared to name and address.

In particular, there could easily be a postal system implemented where the sender would not need the actual physical address of the receiver. The receiver could easily ask the postal service to generate an arbitrary key which could either be single use, or multiple use, in order to deliver, so that one could receive mail and packages without having to surrender information regarding one's place of residence to the sending party.

Recently, I was hand delivered something from my sports club at my address as an apology for COVID. All quite considerable but I'm not so comfortable with that apparently my physical address is known to arbitrary members of said club, and that I was required to give it in order to sign up, which is necessary with modern technology.

There is no theoretical need to surrender one's physical address to join a sports club in theory, but physical addresses are exchanged everywhere as though there be no problem with this. They are of course the easiest way to stalk and harm someone.

So much of what is considered private "PII" today was considered public information only a generation ago. When I was a kid (1970s):

- Names, addresses, and phone numbers were published by the phone company in a book and given to everyone.

- Hospital admissions/discharges were published in the local newspaper.

- Social Security Number was used for everything. Many people included it on their pre-printed checks. Engraving it on valuable personal posessions was encouraged, for help identifying them if they were stolen.

None of this was considered a real violation of privacy, or at least I never heard anyone really express any concerns about it. Unlisted phone numbers were a thing, but very few people had them and it cost extra to have one. Most people wanted to be in the phone book so others could contact them.

I guess the big thing that's changed is identity theft is now a thing. That's because it's become possible to "identify" yourself by providing enough information about yourself without actually being physically present. Also online harassment/doxxing. All of which is only a problem because everything and everyone is online now. That is the real problem, not the information itself. Of course there's no putting the genie back in the bottle.

> None of this was considered a real violation of privacy, or at least I never heard anyone really express any concerns about it. Unlisted phone numbers were a thing, but very few people had them and it cost extra to have one. Most people wanted to be in the phone book so others could contact them.

Yes, and I think it was wrong to do so.

I think it's ridiculous to be worried about websites tracking one's noncorporeal identity tied to an integer on the internet compared to that everyone in my sport's club can easily retrieve my physical place of residence.

Further, I think sovereigns should mandate a class-action monetary compensation from F'book to each and every user affected, as a pre-req for further continued operation in each national jurisdiction.-

This, of course, due fines aside ...

Edit: See my further comment upthread on this, or other solutions.

> I think Facebook should offer their users the option to remove their phone numbers with a real deletion.

Man sometimes I think people forget phone books existed for a long time.

I can see a few (a lot) of differences between a phone book and Facebook in this analogy.
well yea, they aren't "really" the same thing. It was just phone numbers weren't considered all that private back then.¯\_(ツ)_/¯ just a hot take
Back then you could ask the phone company to unlist your number... and they actually did it.
Also, back then, it wasn't feasible for random people online to put your information into endless databases to be called on repeat by auto-dialers. Back when phone books were prevalent was not the same world. It is an excellent point that phone numbers (and even addresses!) were considered public for a long time. However, I think there is plenty reason for the conscious consumer to want their number to be more private, in light of where we are today. Today, someone can use your phone number and address to steal your identity, harass you, use it to get more information, etc.
I had the same feeling. It seems the two things here in question is my phone number (which luckily I never gave fb), and my email which it seems every spammer in the world already seems to have?

I noticed this even back when phonebooks were a thing that a 'private' number was not something random people should call. Yet the reality is that number is kind of public but not. If you did accidently call one you would get 'how did you get this number' from the person you called.

Judging by the amount of phone calls I get these days. They have also already correlated a huge number of these. Short of me changing my number every few years there is not much I can do. I am getting cold calls on property I bought 20+ years ago and them asking if I want to sell.

At the bottom of this though is the 'data' these companies are scouring on us. Then cross correlating it. I have for the past few years come to the conclusion data is harmful to keep for both the end users and the companies that do it. Companies like google and fb seem to be of a very different opinion. Companies should be going into collecting data with 'how do we get rid of it after some period of time', not lets buy more HD to keep it on.

the phone book are completely a different animal. As example they are almost useless to reverse lookup a number...
Reverse phone books were a thing. They were harder to get but libraries had them.
> Man sometimes I think people forget phone books existed for a long time.

If the notion were introduced today, nobody would tolerate them. That they once existed is hardly an argument that such things are a good idea.

Not to mention that all people I knew growing up opted to have their numbers removed from the phone books. People don’t want their number to be visible to everyone.
And you had to pay monthly for that 'service' -- for them to NOT publish your number.
(comment deleted)
(comment deleted)
Facebook should also offer complete opt out from any tracking. Their model where they offer their service for "free", but harvest tonnes of personal data and then use them for targeted advertising, should be regulated. If your family is on Facebook and you want to maintain contact with them, it is next to impossible to move everyone on a platform that respects privacy. I think an option where you pay monthly and in exchange your personal data is not being used should be mandated by law.
I agree with much of what you say here and I think it would be an improvement. Personally, I still wouldn't use a tracking-less Facebook because:

1. I don't trust Facebook to not track me. When I left Facebook for good in 2014 it was because, for the second time after setting all my settings as private as I could (show photos only to friends, etc.), Facebook somehow reverted everything to "public".

2. Their algorithm is still aimed at generating controversy rather than truth, and that's enough for me to not use it.

> ... Linking data between services augments the dangers and the consequences are not obvious to the end user.

Or the end user's friends and family who's privacy was also affected by being in the user's contact list.

Phone number is a primary second factor for most people, and either a phone number or an email address is required to authenticate the person logging in is really the owner of the account in many instances such as logging in from a different computer.

Google does the same, they've even published a paper showing just adding an email address is enough to eliminate 90+% of phishing attempts.

So if I decide to fish the world with this database, am i really doing something wrong? Cause you would think if somebody steal from you at Wallmart and the cashier sees it. They would try to notify you. If everybody think it's ok, when does it start to be:" I just found this wallet full of cash and i'm not notifying the authority?"
Who's going to tell them otherwise?
(comment deleted)
Oh, facebook will pay for this breach. A lot. One thing is breach, the second part is hiding and not notifying "natural persons". They have basically violated (ignoring data collection methods etc.) what GDPR is about. But probably they wont notify non EU users. As they are not obliged so they don't care.

Article 33.

"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."

https://gdpr-info.eu/art-33-gdpr/

Article 34:

"When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay."

https://gdpr-info.eu/art-34-gdpr/

True in theory but Facebook is one big GDPR breach and nobody with the power to fine them seems to give a shit...
Stunningly negligent decision by Facebook. More evidence that FB is confident they can get away with most anything without significant consequential blowback on their bottom line at the end of the day.
how is this even legal in the US?
My twitter account got flagged as suspicious even though I haven't used it during the past few months and have a long random password. Now they want my mobile number to "verify" me in addition to a captcha. It is ridiculous and ovcoiolsly tech companies can't be trusted with personal data of that caliber. I have never used my real name with that twitter account and now they want to know it all, why? Greed is my guess.
Discord asked for 'phone verification' yesterday after failing to sign in successfully a couple of times. If they didn't have my phone before, how will having it now verify anything?

Nope. Account disbanded.

> Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.

From here https://www.dataprotection.ie/en/news-media/press-releases/d...

Thanks for posting the only useful addition to the thread. :)

So the authority is still looking into it. They could still reach an agreement with Facebook on what to do. Then Facebook would probably be shielded from whatever liability those actions would supposedly cause (their excuse "we might make mistakes"), because "we were told to".