Facebook: Everlasting Delight!
April 29, 2021
We are still aghast at the carelessness that allowed hackers to access user information for about a billion accounts between Facebook and LinkedIn. The Facebook breach, at least, has spawned a couple of interesting side stories. First we learned that CEO Mark Zuckerberg uses chat app Signal, a competitor to Facebook’s WhatsApp. We also found out the Facebook breach has forced “Have I Been Pwned” to rework its search functionality, at least for this particular data set.
The folks at Signal must be delighted. India Today reports that the “Leaked Phone Number of Mark Zuckerberg Reveals He Is on Signal.” While both Signal and WhatsApp boast end-to-end encryption, there have been issues with what Facebook does with the back-up files. From Facebook’s point of view, this tidbit about Zuckerberg comes at an unfortunate juncture. Writer Yasmin Ahmed points out:
“The news comes at a time when many users outraged with Facebook-owned WhatsApp’s new privacy policy are moving to seemingly safer alternatives like Signal. WhatsApp’s contentious new terms of service are slated to come into effect from May 2021. The updated privacy policy changes how Facebook can access users’ chats with business accounts.”
Oh dear. In another tangent, we are interested in this change prompted by the leak—“The Facebook Phone Numbers Are Now Searchable in Have I Been HYPERLINK “https://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/”Pwned,” explains the security check site’s own Troy Hunt. It is good to see a site adapt its search to evolving circumstances. But why was the site not already searchable by phone number? Hunt explains:
“I’d never planned to make phone numbers searchable and indeed this User Voice idea sat there for over 5 and a half years without action. My position on this was that it didn’t make sense for a bunch of reasons:
1. Phone numbers appear far less frequently than email addresses
2. They’re much harder to parse out of most data sets (i.e. I can’t just regex them out like email addresses)
3. They very often don’t adhere to a consistent format across breaches and countries of originPlus, when the whole modus operandi of HIBP is to literally answer that question – Have I Been Pwned? – so long as there are email addresses that can be searched, phone numbers don’t add a whole lot of additional value. The Facebook data changed all that.”
Indeed. While more than 500 million phone numbers were stolen, only a few million addresses went along for the ride. Until Hunt changed the search, he writes, over 99% of the many people checking on his site received a false negative. He was able to easily parse most phone numbers from well-formatted files in the breached data and normalize their format with a country code. The caveat—this fix only applies to this breach, unless or until a similar batch of phone numbers is harvested. See the post for the technical reasons that making phone-number searches standard is unworkable for the free resource.
Cynthia Murrell, April 29, 2021