I deleted my (outdated) phone number from facebook years ago and it's still part of the leak, with my name and gender in it. I did not replace the phone number with another phone number. Really says something about what delete means for fb.
Troy just added phone number search to Have I Been Pwned as well: https://www.troyhunt.com/the-facebook-phone-numbers-are-now-... (https://news.ycombinator.com/item?id=26709848)
My number was leaked (checked the dump myself) but I don't show up on this site. Seems like there are some bugs to work out
I am a co-author of the site. We are already aware of your concerns about giving out your phone number. The source code is free and reviewable on Github. We know it's not possible to verify what's running on a server but we hope it adds a level of trust. We are currently hashing all phone numbers so we don't have to deal with them anymore. We will keep you updated.
Facebook should email those affected... surely they know who was compromised or not. Shouldn't have to use random sites for this. Why has there been no communication from them?
Can someone bcrypt all these phone numbers & emails and make that public? Share the salt and then everyone can just test their own phone number without sending it to some rando
How does one know a site like this is not just an other data harvesting site?
Not sure what’s going on but it says my number is not part of the leak, but I’ve checked myself and it is actually leaked. Just be aware that it may not be complete.
Hmm I haven't given facebook a phone number. How can I check if my account is included in the leak? Haveibeenpwned doesn't include facebook in the leaks with my FB email, but I'm not sure I'm checking in the right place.
No one else wanted to try, but I had a feeling my data is breached (seems to happen every few months?)
Anyhow, my phone number had a hit and they showed my first and last initial and corresponding asterisks; seems legit.
For people saying "why enter your phone number into random site" -- not sure how much value a phone number provides without the accompanying information.
From what I can see, this site sends your whole number to the backend to search for a number in the dump[0], while haveibeenpwned.com will hash the input, send only a prefix to the server and receive a list of hashes with the same prefix. If your hash is in the list, you've been pwned, but you can check without leaking your data to HIBP.
Edit: I just checked, seems like the form on the frontpage of HIBP also submits your complete email/phone number. Pretty sure I read about how you don't have to submit your personal data to validate against HIBP, not to long ago...
[0]: https://github.com/Fumaz/haveibeenfacebooked-api/blob/master...
why would I enter my info on a random site though?
“Has my credit card number been leaked”.com
I have made a similar site, but just for Lithuanian numbers:
All the numbers that I know for sure to be in the leak return "not found in the leak" on this site.
So, a few things.
1) no indication that there's any rate limiting here beyond a 2 second cooldown (thanks for that, grenoire), but I only tested it using burp intruder community edition, and I only tested it on a set of numbers guaranteed to return false. If anyone wants to test a range with a known-leaked number in it, up to you.
2) it's very possible that if there is rate limiting, it acts invisibly.
But if there's no rate limiting as I suspect, someone can easily just iterate through this data set and extract every number (well, until cloudflare trips the requests). Alternatively, someone can request a large set of numbers that includes their own in order to fuzz the range their own number is in.
I'm looking forward to the sequel, "Have I Been 'Have I Been Facebooked'ed" when it turns out this is just a data harvesting operation.
If you don't want your phone number leaked don't hand it over to a random website that pinky swears it won't keep it. It's maybe not a scam, but still...
Every time I see a site like this I wonder if the site is legit, or does it "match" the phone number with an IP.
Aren't telephone directories a thing anymore? At least in my country you can just search for a person online and see their phone number. Someone's phone number seems like the least sensitive PII.
Be aware that this (currently) doesn't work for Canadians (at least the one I checked). You'll have to download the dump yourself and grep.
This is the first time when I see the UAE being called ARE in a country list. I even went and asked Google, and it turns out there is in fact one ISO standard that calls it ARE. All the others, including ITU (we are talking about phone codes, after all) call it as UAE. Really strange choice of naming standard for something phone-related.
Wish it supported wildcards. I'm not comfortable putting in my phone number for the exact reasons the author states.
Be aware that this site doesn't seem to be the whole story, it doesn't match me for example, but this one does: https://jstsch.com/facebook/ (NL only)
So there's some ambiguity or incompleteness somewhere.
I wish there was an "email" input. Last time I had a Facebook account was 10 years ago (probably before phone numbers were de facto identity) and I would be fascinated to learn if my old accounts were in the leak, because Facebook was supposed to fully delete those accounts :)
If you don't want to input your full phone number, you can use this tool: https://codeeverywhere.ca/apps/fb_data .
Searches use partial data from multiple fields to find matches.
my 2c security tips:
- i trust my browser and site owner version : text in clear
- i barely trust site owners ( if a match is found they still have access the fact that I've verified that number ) :
hash each phone address hashed ie using bcrypt and using a composed salt ( ie : site address + email in the account + phone address ) so rainbow table will be impossible to use ( this because phone numbers are low entropy and even without rainbow table IMO are not that very secure )
than ask user for the hashed version in the text field ( also write a linux terminal style command that can be used to hash given salt and hashing , or redirect to a trusted hasher service online (multiple links can be provided ) )
both text fields can be provided to allow the user a choice
That's odd. My number is in the leak, but it doesn't check on this website.
I'm a little skeptical this is accurate. Supposedly 1/3rd of my country's population is in this leak, yet not one of the 40 people i tried in my contacts list appears on the leak.
The website says no, but after downloading the whole dataset and doing a quick search using "grep -rnw" I got my current phone number in addition to that of my grandfather's (also on FB), so even if the site says you're not facebooked, please check the raw data available on pastebin archive (https://archive.is/MZqak)
I am annoyed. I haven't updated my Facebook in years so most of the data is out of date and I use a separate phone line for personal correspondence, but I do still have a Facebook account for the occasional friend/family that uses messenger. This might be the final nail in the coffin for me and get me to delete my account.
Maybe I can finally get my last couple of friends to switch to Signal.
The phone numbers put into this website can be trivially reversed despite of the false sense of security the phone-number disclaimer provides: https://code.express/docs/blogs/facebooked/
haveibeenzucked is arguably better name for a site.
anyone know of one of these sites where they don't send your phone number / email to the server? The /search endpoint phone_number param has your number.
They should instead hash your number client side and test the hash.
I never shared my phone number with FB, neither for 2FA nor anything else, yet it is in this DB. Could FB get the number via my Android FB app?
yeah not going to use any search tool where i need to enter my number ... you could just post the data by area codes..... just create a bland UI that lists all area codes ..let user click into the area code and then on the next page list all the phone numbers in that area code that have been affected.
I'd use that but not searching by phone number.
Never handed over my number when I could avoid it. I'm very suspicious about it for some reason
This site doesn't seem to include the leaked numbers from my country +356 (MT).
Do not put your number here FFS
Down as of 06APR 1715 PST. Looks like a legal warning by the Italian Gov?
This says no but haveibeenpwned says yes. Hash collision on the HIBP site?
"Is Facebook still safe to use?"
Has Facebook ever been safe to use?
HTTP 451 - Unavailable For Legal Reasons :(
Already getting spammed hourly by text messages pointing me towards URLs I should click.
AFAIK there isn't much awareness about this leak amongst most of FB's userbase: Less tech-savvy and 40yrs ++.
weird title, since one without a facebook would assume this service is for them. If you have ever signed up for facebook and are wondering if u have been facebooked... yes you have been facebooked.
what i want to know is where you can find this information. Also, is it even legal for the website owner to hold stolen information.
``` Facebook account ID First name: P** Last name: N*** Gender Relationship status Location ```
:: squints ::
I'll grant you, this is much more problematic for some than me. But for me, this is, roughly, analogous to my actual LinkedIn, Github, or Hacker News profile, which link to my resume (which has my phone number), combined with a squint at my age and a guess.
There's a lot worse that could be leaked.
"Currently, we don't know if Facebook has fixed the vulnerability since the company hasn't released any statement regarding the breach."
"This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019" - FB