Down-do-wells leaked personal data – including phone numbers – for about 553 million Facebook users this week. Facebook says the data was collected before 2020 when it changed things to prevent such information from being deleted from profiles. In my opinion, this only reinforces the need to, where possible, remove cell phone numbers from all your online accounts. Meanwhile, if you are a Facebook product user and want to learn if your data has been leaked, there are easy ways to find out.
The HaveIBeenPwned project, which collects and analyzes hundreds of database trash cans with information on billions of leaked accounts, has incorporated the data into its service. Facebook users can enter the mobile number (in international format) associated with their account and see if the figures are exposed in the new data dump (HIBP does not show you any data, just give a yes / no or your data point to). 
The phone number associated with my late Facebook account (which I deleted in January 2020) was not in HaveIBeenPwned, but again Facebook claims to have more than 2.7 billion monthly active users.
It seems that many of this database, at least since last summer, has been kicking cybercrime around in some form. According to A Twitter message dated January 14, 2021 from Alon Gal of Under the Breach, the 533 million Facebook account database was first offered for sale in June 2020 and provides Facebook profile data from 100 countries, including name, mobile number, gender, occupation, city, country and marital status.
Under the offense also said in January that someone created a Telegram bot that allowed users to query the database for a small fee, enabling people to find the phone numbers associated with a large number of Facebook accounts.
A forum ad for cybercrime from June 2020 that sells a database of 533 million Facebook users. Image: @UnderTheBreach
Many people may not consider their mobile phone number as private information, but there is a world of misery that bad guys, crawlers and crawlers can visit in your life just by knowing your cell phone number. Sure, they can call you and be so annoying, but more likely they will see how many of your other accounts are – at major email providers and social networking sites like Facebook, Twitter, Instagram, e.g. – rely on the password recovery number.
From there, the target is prepared for a SIM swap attack, where thieves deceive or bribe employees in mobile phone shops to transfer ownership of the target’s phone number to a mobile device controlled by the attackers. From there, the bad guys can reset the password of every account to which that cell phone number is linked and of course intercept any one-time characters sent to the number for the purposes of multifactor authentication.
Or the attackers take advantage of other privacy and security flaws in the way SMS messages are handled. Last month, a security researcher showed how easy it was to abuse services aimed at helping celebrities manage their social media profiles to intercept text messages for any mobile user. The weakness is now presumably fixed for all major wireless service providers, but it really leaves you in doubt about the continued wisdom of relying on the internet equivalent of postcards (SMS) to handle securely with sensitive information.
My advice for a long time is to remove phone numbers from your online accounts wherever you can, and avoid choosing SMSs or calls for second factor or one-time codes. Phone numbers were never designed to be identity documents, but that’s effectively what they’ve become. It’s time we stopped treating everyone like that.
Any online accounts you value must be secured with a unique and strong password, as well as the most robust form of multi-factor authentication available. Usually it’s a mobile app like Authy or Google Authenticator that generates a one-time code. Some sites like Twitter and Facebook now support even more robust options – such as physical security keys.
It may even be more important to delete your phone number for any email accounts you have. Log in to any service online, and you will surely need to provide an email address. In almost all cases, the person who manages the address can recover the password of any associated services or accounts – only by requesting an email to recover the password.
Unfortunately, many email providers still allow users to reset their account passwords by sending a link to the phone number available for the account. So remove the phone number as a backup for your email account and make sure a more robust second factor is chosen for all available account recovery options.
This is the thing: most online services require users to provide a cell phone number when setting up the account, but that the number should not remain linked to the account after it is set up. I encourage readers to remove their phone numbers from accounts where possible and use a mobile app to generate any one-time codes for multifactor authentication.
Why did KrebsOnSecurity delete its Facebook account early last year? Of course, this had something to do with the incessant stream of violations, leaks and betrayal by privacy through Facebook. But what really bothered me was the number of people who felt comfortable sharing extraordinarily sensitive information with me about things like Facebook Messenger, while I expected to be able to guarantee the privacy and security of that message just based on my presence on the platform.
If readers want to get in touch for any reason, my email is here krebsonsecurity by gmail dot com, of krebsonsecurity by protonmail.com. I also respond to Krebswickr on the encrypted messaging platform Wickr.