Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Facebook does not plan to notify half-billion users affected by data leak (reuters.com)
651 points by wdb 2 days ago | hide | past | favorite | 296 comments






I’ve said it before and I’ll say it again, unless and until, companies like Facebook are fined appropriate amounts they’ll never stop.

Quite literally, every business school on the fucking planet will tell you do something if it’s cheaper. It is cheaper for them to not give a fuck, than to give one. Unless they are fined upwards of $20-50bn it’ll never stop because it’s always going to benefit their bottom line. Full stop.

If you don’t take 10-15% from a company they won’t ever be incentivized to stop. This 5% or less bullshit has to stop if folks want change.

Edit: small grammar fix.


If customers do not care enough to stop using the product then there is no harm. Put in another way: the people you are trying to protect don't want your protection, because they don't care enough about the breach to stop using the product.

They shouldn't be learning about the breaches from the company that has been breached because that gives the company too much power. Instead we should empower watchdog organizations to be our source of news for data breaches.


> If customers do not care enough to stop using the product then there is no harm.

Facebook users (notably not customers) are the ones being harmed here, and they don't exactly have free reign to choose the platform their communities talk and organize on. If I choose not to use Facebook then I'm isolating myself from my community.


Relying on one irresponsible for-profit organization for your communications is a disaster waiting to happen. By using that service, you enable them to continue. It takes two to tango.

Yes, so people would use Insta. Then it gets bought by Facebook. Then WhatsApp, also bought by Facebook. Etc. Everywhere you run, Facebook and friends is waiting with a warm, privacy suffocating hug.

What the hell is the FTC and DOJ doing allowing these obvious anti-competitive mergers and acquisitions? How is Amazon able to sell physical and digital products, control distribution channels, and sell significant infrastructure? I am no monopoly expert, but in my opinion, AWS is a significant competitive issue. Did we learn nothing from US Steel and Standard Oil? Has the Clayton Act been ignored? It seems like the Sherman Act matters as well: companies all agreeing, within hours, to ban certain apps or content. That’s not competition.


You're ignoring the comment you're replying to. It's not 'two to tango', it's the network effect Facebook deliberately set up and perpetuates thru growth and acquisition.

People don't care enough because it's a privacy inconvenience vs all their communication with their family and friends. There's little that will tip that scale.

The answer is probably strong anti-competitive legislation that makes it easier to move service, easier to inter-operate between services, and making services more granular.


> If customers do not care enough to stop using the product then there is no harm

If you quit using FB and were still leaked, now what? If you were leaked because they hold a shadow account?


Good point! What do you think we should do about this problem? Ban companies from holding onto data when they are deactivated? How would we enforce that?

The problem is even worse: if your friend shares their contact list and that is the data that gets leaked, what then? I think that brings to question the entire idea of a phone number belonging to one person. A friend can give consent to share your information. Maybe we are focusing on the wrong set of problems?

Maybe phone numbers / email addresses being leaked is a problem that cannot be solved and instead we should focus our efforts on spam filtering or being able to easily change those identifiers.


I think they should notify everyone affected. Provide them with what was leaked, when, how, and how its been patched. And also provide the user the ability to have all the data permanently deleted from their datastore if they desire.

Unfortunately it's not as simple as that when large scale network effects are involved.

No, societies recognize that everyone shouldn't need to be a doctor/engineer/financial analyst to avoid harm in daily activities, so we collectively empower regulators like the FDA/FAA/SEC to protect us from unfettered capitalism.

Likewise we shouldn't expect people to all be computer security experts, but we should expect regulators to keep us safe by creating standards and enforcing penalties for companies failing to meet them. I'm not saying we need a new regulatory agency, but we do need enforced regulation with scalable teeth.


> No, societies recognize that everyone shouldn't need to be a doctor/engineer/financial analyst to avoid harm in daily activities, so we collectively empower regulators like the FDA/FAA/SEC to protect us from unfettered capitalism.

This centralizes power to a few at the expense of the many. Furthermore I deem the social contract to be unethical so I would not include myself in the "everyone" camp. I'd much rather see watchdog organizations regulate the market.


You the individual have no power to make Facebook, or any large organization, change its behavior. To it, you are like an ant is to a human. There is no "at the expense of the few" when you have nothing.

But just as a colony of ants can destroy a house, so too can we puny humans, when united, extract demands from huge corporations. Individual regulators do the actual fighting, but they do so on our behalf, with our collective backing.

(Side note: so cool of you for disagreeing with the social contract, though your edgy dissent is only possible because the majority do accept government.)


Agree. Insurance companies can play a part in that as well. Requiring certain standards be met before writing coverage or covering a loss.

However, the FTC needs to play a bigger role in enforcing Clayton. Facebook should never have been allowed to buy Instagram or WhatsApp.


Here in Mexico, in theory every person record that is leaked without the holder permission can get the company a $5000 fine. Given that this leak has at least 50,000 records from Mexicans, Facebook could be fined up to $250,000,000.

I don't understand why the government doesn't go for these type of things. On one side... it is easy money for the federation. On the other side, in a "personal" level for the bureaucrats, it is at least some good money they can keep corruptly.


When I think about a small, bootstrapped operation, that kind of fine would bankrupt them. When I think about Facebook, that kind of fine wouldn’t even bother them. Not sure what the answer there is. At some level a very harsh fine says, no matter the value of the product, if you screw up we shut you down, unless you’re big enough to not care at all.

The fine is "up to" that amount. There have been smaller companies that have been fined way less than the top.

One thing I will tell you, when I was in charge of the data of a FinTech in Mexico, we were VERY aware of those fines and took a lot of care regarding our security.


Perhaps the fine amount should be a function of market cap for public companies.

The fine should be proportional to the damage. A tiny medical startup that leaks psychotherapy records “hurts” more than a company that leaks your shoe size.

Perhaps companies should buy insurance for this and then that would incentivize insurance companies to help protect their clients. Insurance requirements are a significant safety factor at many physical businesses. The law is important, but being denied insurance claims is a great private-sector solution. Or course for insurance to be meaningful, the penalties have to have significant teeth. However, a mega-Corp (by revenue) would likely self-insure, however they’d still have incentive to do right if the penalties were per record, not per breach. For HIPAA, there’s a fine of up to $10k per record for a breach. 10k times 200,000,000 users affected becomes real money even to Facebook. And, let’s make the fines payable to the user, not the government. The user is the one incurring the harm, not the government. The government still gets their slice since such awards are taxable.


> The fine should be proportional to the damage. A tiny medical startup that leaks psychotherapy records “hurts” more than a company that leaks your shoe size.

I agree. I meant that market cap should be taken into account along with factors such as damage. The goal is that for the same wrong, a small and a large company face the same penalty, but adjusted in proportion to their financials.


> Perhaps companies should buy insurance for this

They literally do, and I think it lightens the blow more than anything.


If the value of data protection is that high then civil suit reform (lower overhead filing, improved class actions) should accomplish the same thing, and give the money to the owners of the data, without creating a massive defensive moat around the few companies that can afford the risk.

You are right.

This should be a 25 billion dollar fine.

For a business entity this is the only thing that will motivate them to try harder in the future.


> every business school on the fucking planet will tell you do something if it’s cheaper. It is cheaper for them to not give a fuck, than to give one

But Governments rarely have a fine based on the entity's revenue, let alone calculating fine based on the impact of the negligence like this. I guess FB has decided even if GDPR fine is triggered, paying that is better than reminding half-billion users that using their platform is dangerous.

I've witnessed while literally getting sick due to the compliance burden when running the company as a single person i.e. in make sure I don't fall behind any of them; Large companies calculating the expenditure to 'fix the fine' if raised by the Govt. after several years and deciding NTGAF as the fine/fix is 'negligible' for them.


My only issues with this are that it's impractically hard to protect data to the extent necessary, and large fines become a lever for disgruntled employees to cause massive damage.

Don’t store data you can’t protect. Because something is ‘hard’ doesn’t mean it shouldn’t be done.

That's a great line for a stump speech, but try building this system yourself.

Your argument doesn't hold water - lots of systems have users without collecting their phone numbers.

It's not just phone numbers, though. It could be private messages, friends-only posts, IP address logs, physical addresses, SSNs--the list goes on. You'll quickly find that anything non-trivial will start collecting data users wouldn't want public.

>Don’t store data you can’t protect.

Services like social networks don't need to store physical addresses, SSNs, phone numbers, etc. Therefore, that data should be looked at like a liability rather than an asset. It shouldn't be collected in the first place.

Data like private messages, friends-only posts, etc are needed for the features they want to provide, and they should only provide those features if they can protect that data.

https://martinfowler.com/bliki/Datensparsamkeit.html


Excessive fines could bankrupt startups and even incentivize companies to hack their competition into bankruptcy.

I have a strong suspicion that, if a government tried to fine a company in billions, that company would simply leave the country forever. I'm not saying that this is a good thing or a bad thing. It's just an intuition that I have.

To make a rubbish analogy, this is like arguing that making it illegal for teachers to do murders would make all the murderous teachers move. Great? We'll be left with the non murderous ones.

I don't think there's much that would wholesale get Facebook to withdraw from a huge market like the US but if they did then competitors that did obey the new laws would take their place, as long as the entire business model wasn't completely defunct.


Rubbish? No, I liked your analogy. :)

What do you mean? Companies have been fined multi-billion dollar amounts in the past. Withdrawing from the US market is simply not an option for many companies. I strongly suspect it wouldn’t be a realistic option for Facebook.

That said, I think the parent comment that suggests “20-50B” fines is dramatically overestimating what it would take to promote more depositor behaviour here. Even much smaller fines with the threat of larger ones would likely be sufficient.


On top of that, withdrawing from the country after breaking the law and being fined is like fleeing the country after being convicted of a crime. It's not a legal cover.

The first move is usually to legally object to the fine if it's more than the cost of doing business, leading to years of back and forth. Look at the fine the EU imposed on Intel in 2009 which keeps getting contested and reexamined. Increasing the cost and friction for the ones trying to recoup the fine makes them more willing to negotiate a faster settlement (usually better deal for the company). It's a good bargaining chip for the company if they have very few assets under that jurisdiction or it's a market they can afford to lose. So the company pays some of the fine and then sees much stricter controls applied to them in particular, not via law but via the settlement.

Finally the company is represented by a CEO and/or board and those are the people ultimately responsible for disregarding a court decision. There could be attempts to hold them responsible but the US is famous for protecting any CEO from prison time (inside or outside of US borders). The US has a history of refusing to extradite CEOs convicted simply because they can purchase their way out of any trouble, it's only a matter of price. So this last step is mostly symbolic, the CEO is convicted because justice has to be served in the accusing jurisdiction.


And go... where?

China seems like a place for big brother love

Cool, they can leave, let their competitors take over, or new entrants that will do the needful.

It would be pretty awesome if they left, and then we just blocked the entire IP address range with them.

Or just break them up? Both parties in the US have spoken about breaking the "Big Tech" monopolies for a while now. Maybe some grass roots activism could finally get it some traction?

We have a three strikes law in CA. I haven't done any research to find out how effective its been in reducing crime - but something similar for big companies like Facebook might be a way of dealing with this nonsense?


I agree but where would the money go?

Keep the relevant enforcement agencies fed and watered for starters, and the rest goes to govt as a contribution towards the usual things that taxes pay for.

In this period? Helping business and people hit by lockdowns. Vaccines. The list is too long to fit in this page. If there ever was a time for governments to go after megacorps money, this is it.

Its complicated. Some large companies make every effort, but are still plagued by lawsuits. Do everything to the best of your ability, still sometimes somebody will cut themselves shaving or whatever, and sue. I know of one that settles for anything under a quarter million without even determining merit. Because it never ends.

I know, Facebook has made an egregious error. But overreacting (kill them all!) is not a good solution?


> Some large companies make every effort, but are still plagued by lawsuits.

But that's clearly not what's happening in this case:

> Facebook Inc did not notify the more than 530 million users whose details were obtained through the misuse of a feature before 2019 and recently made public in a database, and does not currently have plans to do so, a company spokesman said on Wednesday.

...

> Ireland’s Data Protection Commission, the European Union’s lead regulator for Facebook, said on Tuesday it had contacted the company about the data leak. It said it received “no proactive communication from Facebook” but was now in contact.

> The July 2019 FTC settlement requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident.

I'm not sure how that can be categorised as making every effort?

(EDIT: formatting)


You are advocating creating perverse incentives. A specific branch of government, a select agency, to become a profit center through continuous finding and fining of ever more wrongdoings. All morally excused because the victims are faceless multinational corps.

We all know how badly that goes with speed traps and red light cameras - instead of improving, the road conditions and sometimes even local rules are tweaked to maintain steady cashflow.

Say no to revolving doors of regulators, say no to moral hazard of what effectively amounts to vice tax. Apply criminal penalties when reasonable, don't make data leaks & privacy breaches just another cost of doing business.

-edit-

Clarification: a fine works well when it's expected to be a rare penatly enacted on a singular player - as it makes that player noncompetitive in the market. Conversely, when fines are expected to apply regularly and at proportional rate to most, or all, players in a market, the fine no longer makes the player noncompetitive - it merely shifts the market. Perhaps some alternative markets (print? radio & TV?) would pick up some of the advertising slack, but largely it'd be a regular money transfer from corps to the government. And a "vice tax" like that is a clear moral hazard, with no natural end in sight.


They’re advocating the removing perverse incentives, so that data leaks and privacy breaches are not “just the cost of doing business.”

Fine. Slippery slope perhaps.-

Make it a "third sector", properly audited NGO (watchdog, thinktank, foundation ...), with ties to some appropriate umbrella (UN, ICJ), that uses some sort of blockchain solution to fine as needed, and then allocate compensation from this to aggrieved parties, or social programs, compensating not only for loss of privacy, but for the other nasty effects (fake news, emotional distress, political polarization ...) that F'book is causing.-

Otherwise, our souls are just another cost of doing business to them.-


Now it makes more sense. Going a bit further you could perform it within the already existing framework: apply criminal penalties where sufficient threshold of harm have been reached. Perhaps even judicial doctrine a bit to better handle cases of large number of small, or statistical, harms - there are parallels to how we already tackle health hazards and other stochastic, broad harms.

The key consideration is avoiding perverse incentives. A stellar example is how the GDPR disaster is unfolding: the smaller websites are still plastered with "cookie warnings" making them less usable, while the larger platforms - Youtube, Google - already pivoted the warning dialog into nagging for logging in, making anonymous browsing incrementally less practical. The difference in power lets the larger players use as a moat the regulation that's prima facie about privacy.


> there are parallels to how we already tackle health hazards and other stochastic, broad harms.

I like your approach to these damages as stochastic, broad, ergo "actuarially" manageable ...


Thank you. We want to develop morals and jurisprudence around the subject for more reasons. Computerization, in particular networked computerization, has introduced problems like "wormable" devices - were impact of a single device or data item is tiny - however at scale they can quickly rack up considerable damages and losses.

> continuous finding and fining of ever more wrongdoings.

How perverse indeed.

> A specific branch of government, a select agency, to become a profit center

So don't directly give them the money from the fines, simple.


For years companies have been steadily asking, mandating or even trickling users to give them their phone numbers under the excuse of security (while the real reasons were different), now what?

How can they be trusted anymore?

This also strikes a great point about the data sharing between Facebook and WhatsApp. Linking data between services augments the dangers and the consequences are not obvious to the end user.

I think Facebook should offer their users the option to remove their phone numbers with a real deletion.


> I think Facebook should offer their users the option to remove their phone numbers with a real deletion.

Man sometimes I think people forget phone books existed for a long time.


I had the same feeling. It seems the two things here in question is my phone number (which luckily I never gave fb), and my email which it seems every spammer in the world already seems to have?

I noticed this even back when phonebooks were a thing that a 'private' number was not something random people should call. Yet the reality is that number is kind of public but not. If you did accidently call one you would get 'how did you get this number' from the person you called.

Judging by the amount of phone calls I get these days. They have also already correlated a huge number of these. Short of me changing my number every few years there is not much I can do. I am getting cold calls on property I bought 20+ years ago and them asking if I want to sell.

At the bottom of this though is the 'data' these companies are scouring on us. Then cross correlating it. I have for the past few years come to the conclusion data is harmful to keep for both the end users and the companies that do it. Companies like google and fb seem to be of a very different opinion. Companies should be going into collecting data with 'how do we get rid of it after some period of time', not lets buy more HD to keep it on.


> Man sometimes I think people forget phone books existed for a long time.

If the notion were introduced today, nobody would tolerate them. That they once existed is hardly an argument that such things are a good idea.


Not to mention that all people I knew growing up opted to have their numbers removed from the phone books. People don’t want their number to be visible to everyone.

And you had to pay monthly for that 'service' -- for them to NOT publish your number.

the phone book are completely a different animal. As example they are almost useless to reverse lookup a number...

Reverse phone books were a thing. They were harder to get but libraries had them.

I can see a few (a lot) of differences between a phone book and Facebook in this analogy.

well yea, they aren't "really" the same thing. It was just phone numbers weren't considered all that private back then.¯\_(ツ)_/¯ just a hot take

Back then you could ask the phone company to unlist your number... and they actually did it.

Also, back then, it wasn't feasible for random people online to put your information into endless databases to be called on repeat by auto-dialers. Back when phone books were prevalent was not the same world. It is an excellent point that phone numbers (and even addresses!) were considered public for a long time. However, I think there is plenty reason for the conscious consumer to want their number to be more private, in light of where we are today. Today, someone can use your phone number and address to steal your identity, harass you, use it to get more information, etc.

>How can they be trusted anymore?

They never could be.


[flagged]


[flagged]


Given the number of times this quote has been dutifully typed in this thread, HN finally found its narwhal to bacon at data breach, it seems. It’s interesting to watch the competition between those flagging it off the site and those repeating it, apparently unaware it’s been flagged and removed already.

Further, I think sovereigns should mandate a class-action monetary compensation from F'book to each and every user affected, as a pre-req for further continued operation in each national jurisdiction.-

This, of course, due fines aside ...

Edit: See my further comment upthread on this, or other solutions.


Facebook should also offer complete opt out from any tracking. Their model where they offer their service for "free", but harvest tonnes of personal data and then use them for targeted advertising, should be regulated. If your family is on Facebook and you want to maintain contact with them, it is next to impossible to move everyone on a platform that respects privacy. I think an option where you pay monthly and in exchange your personal data is not being used should be mandated by law.

I agree with much of what you say here and I think it would be an improvement. Personally, I still wouldn't use a tracking-less Facebook because:

1. I don't trust Facebook to not track me. When I left Facebook for good in 2014 it was because, for the second time after setting all my settings as private as I could (show photos only to friends, etc.), Facebook somehow reverted everything to "public".

2. Their algorithm is still aimed at generating controversy rather than truth, and that's enough for me to not use it.


Phone number is a primary second factor for most people, and either a phone number or an email address is required to authenticate the person logging in is really the owner of the account in many instances such as logging in from a different computer.

Google does the same, they've even published a paper showing just adding an email address is enough to eliminate 90+% of phishing attempts.


Certainly I cannot be the only one who finds phone numbers, email addresses, and many other things quite inconsequential compared to name and address.

In particular, there could easily be a postal system implemented where the sender would not need the actual physical address of the receiver. The receiver could easily ask the postal service to generate an arbitrary key which could either be single use, or multiple use, in order to deliver, so that one could receive mail and packages without having to surrender information regarding one's place of residence to the sending party.

Recently, I was hand delivered something from my sports club at my address as an apology for COVID. All quite considerable but I'm not so comfortable with that apparently my physical address is known to arbitrary members of said club, and that I was required to give it in order to sign up, which is necessary with modern technology.

There is no theoretical need to surrender one's physical address to join a sports club in theory, but physical addresses are exchanged everywhere as though there be no problem with this. They are of course the easiest way to stalk and harm someone.


So much of what is considered private "PII" today was considered public information only a generation ago. When I was a kid (1970s):

- Names, addresses, and phone numbers were published by the phone company in a book and given to everyone.

- Hospital admissions/discharges were published in the local newspaper.

- Social Security Number was used for everything. Many people included it on their pre-printed checks. Engraving it on valuable personal posessions was encouraged, for help identifying them if they were stolen.

None of this was considered a real violation of privacy, or at least I never heard anyone really express any concerns about it. Unlisted phone numbers were a thing, but very few people had them and it cost extra to have one. Most people wanted to be in the phone book so others could contact them.

I guess the big thing that's changed is identity theft is now a thing. That's because it's become possible to "identify" yourself by providing enough information about yourself without actually being physically present. Also online harassment/doxxing. All of which is only a problem because everything and everyone is online now. That is the real problem, not the information itself. Of course there's no putting the genie back in the bottle.


> None of this was considered a real violation of privacy, or at least I never heard anyone really express any concerns about it. Unlisted phone numbers were a thing, but very few people had them and it cost extra to have one. Most people wanted to be in the phone book so others could contact them.

Yes, and I think it was wrong to do so.

I think it's ridiculous to be worried about websites tracking one's noncorporeal identity tied to an integer on the internet compared to that everyone in my sport's club can easily retrieve my physical place of residence.


> ... Linking data between services augments the dangers and the consequences are not obvious to the end user.

Or the end user's friends and family who's privacy was also affected by being in the user's contact list.


Obligatory:

"People just submitted it. I don't know why. They 'trust me'. Dumb fucks." -Mark Zuckerberg


> with a real deletion

Lol.


>For years companies have been steadily asking, mandating or even trickling users to give them their phone numbers under the excuse of security (while the real reasons were different), now what? >How can they be trusted anymore?

I don't know if they can. I had specific conversations about things life preferring TOTP to phone in internship and job interviews, but I struggled to land the prestigious roles others did, though people I've spoken with informally certainly like to parrot key phrases I liked to use when we'd socialize at conferences.


What does the last sentence have to do with trust?

"The Facebook spokesman said the social media company *was not confident it had full visibility on which users would need to be notified*."

@Facebook here you go: https://haveibeenpwned.com


I use [email protected] to sign up for accounts. [email protected] is something I try to only give to friends.

According to that site, my personal email has been leaked by Adobe, and by a bunch of shady database firms I've never heard of.

(On further reflection, I probably used my Google account to log into Adobe, which leaks my personal email to the site I'm logging into.)


Most of those shady databases are data collectors. Sometimes I see those on domain wide reports for names even if the user never actually had that email address. Sometimes it's just a guess.

Ex: You might see [email protected] in the report for those db, even though Joe Smith only ever had [email protected]

And sometimes its legit scum collection. Some of the spam you get is just verify what email addresses work and what don't. If it doesn't bounce, you know you got a valid email address. Works for a lot of businesses (but not if you've got a personal catchall)


I think Facebook (rightfully, IMO) would argue the existence of that data dump is no proof that data came from Facebook’s servers.

They can’t assume that, or trolls or unscrupulous competitors would start creating ‘Facebook’ data dumps left and right.

I do wonder what EU regulators will say about their viewpoint that they do not have to inform their users, though.


If they can't measure the scope of the breach they must notify all customers that they might have been affected.

>I think Facebook (rightfully, IMO) would argue the existence of that data dump is no proof that data came from Facebook’s servers.

Mark Zuckerbergs phone number was in the dataset. It came from Facebook.


It probably came from Facebook, but that doesn’t follow from the fact that Zuckerberg’s phone number is in the dump. I don’t see how, even before this dump was made public, Facebook could have been the only entity in the world to know that phone number.

One well-known company I worked had a data breach published online and reported on. I know people on the accounts team and security team and have seen the code for how passwords are hardened. No one internally who knew those systems thought it was a breach; it was more likely people reusing credentials that were breached elsewhere.

While I get what you mean, data has the profile links too. Matching the data to real facebook profiles would be near? impossible if the source was not Facebook.

If Facebook has since deleted some of those accounts or associated phone numbers, they may no longer have a way to contact those users.

The GDPR in Europe would require them to delete that data in a bunch of circumstances.


The beach has phone numbers and emails- why wouldn't they be able to contact those users with that information?

Facebook can't use the breach itself to contact users, no. The data could have been tampered with, and besides, Facebook doesn't have permission to process the leaked data in that way.

A company that employs dozes of data scientists and has petabytes of data is now supposedly unable to compare and match two datasets? Come on, this is beyond ridiculous.

Clearly they technically can. It's that the GDPR doesn't allow it.

Think about it... If you asked a company to delete your data, are you giving them permission to go refind that data on the dark web, cross reference it with records they should have deleted, and use it to send you email? Clearly not.


> It's that the GDPR doesn't allow it.

Source? Nothing prevents Facebook from making a public announcement that anyone that had an account on Facebook between dates X and Y might have been affected.


If GDPR prevents people from being notified that their data was breached, then the GDPR needs revision.

GDPR mandates notifying affected users, so there's no reason to change it.

Unfortunately there's a lot a misinformation around GDPR spreading online.


The post I was replying to was claiming the GDPR prevented it. If that is incorrect, then so be it. I'm American, so it largely doesn't directly affect me.

I doubt Facebook gives a shit about the GDPR

If they find a match against the leaked data, that would validate it and prove it had not been tampered with and at least allow them to contact a subset of users. Why can't they do that at least?

They can do that. They probably won't because they'll argue it's all part of peoples public profiles and therefore published information rather than private information.

That distinction doesn’t matter for the GDPR. Publicly available information can be personal data, even if the entire world knows about it.

Because they might have deleted some of the accounts they no longer have an obligation to notify the rest that they haven't deleted?

While this may be true, this doesn’t have to be an all-or-nothing thing.

It isn't true, that was the point of my question. They could (and must) notify the ones they still have data about.

The way your comment is structured, it is not obvious that it is a question.

> They could (and must) notify the ones they still have data about.

I agree strongly. For what it's worth, this is absolutely not what I took away from your other comment.


The question mark at the end of their original comment is a strong indicator that it is indeed a question.

> Because they might have deleted some of the accounts they no longer have an obligation to notify the rest that they haven't deleted?

The sentence structure is a strong indicator that this is something other than a question.

This could easily be interpreted as:

"They no longer have an obligation to notify the rest, because they might have deleted some of the accounts...duh"

The commenter's clarification removed the ambiguity, but let's not pretend the original statement was crystal clear. I think the difficulty interpreting the comment is also partially a result of just how passive-aggressive many comment threads have become. After clarification, I understand the original intent. Without that clarification, there are two interpretations.

A different way to say this would be:

> "Are you saying they no longer have an obligation to notify the rest just because some of the accounts might have been deleted?"


> If Facebook has since deleted some of those accounts or associated phone numbers, they may no longer have a way to contact those users

That would totally defy logic.

I don't think that Facebook deletes anything ever.


I deleted my account a few months ago and was pleasantly surprised to find that it didn't surface in the breach. It could just be hiding in a different datastore of course, but it's definitely more fucks than I thought they gave.

I don't know that this follows, given that the prior probability that your info was leaked is pretty low. "Only" 20% of global accounts' info were leaked, and only 13% of US accts

The leak is from 2019 though

Oh interesting; I thought I read somewhere it was recent.

Same here, deleted about 6 months ago. Was just as surprised.

well i deleted mine in october 2019 and i’m in.....

Have another up of coffee, the data is in the leak.

Can you clarify what you're talking about? I do not believe that GDPR regulations prevent Facebook from notifying their users about a data breach.

I mean, GDPR is a joke but that would be absolutely nonsensical.


This huge leak has definitely killed the SMS text messaging service. Sender can be spoofed and spam/scam/phishing have reached an intolerable level. The fact that they can cross reference you and then produce a more personalized content is huge. Changing password is easy (ok less easy if you recycle it) but changing phone number is something that I am not even relaxed to do.

Can anyone on HN please explain why, why, WHY are we still using SMS/telephony which has exactly 0 encryption wh---I guess that's the reason?

It's insane. I've heard banks using SMS!!!! To send a code. We have TOTP for that! Or even perhaps a push notification or something better than bloody SMS.

I refuse to use the networking system altogether. No phones, no calls. Of course you do 'need' a number so I keep one handy, but I haven't read a text or made a phone call in a long while.

It needs to die. NOW. Outlaw SMS!


> I've heard banks using SMS!!!!

It sounds like you're incredulous that even banks are being insecure, but history has shown that you can expect banks to be roughly last in terms of competent and secure IT. I trust my Walmart.com account info to be safer than my bank info.


It's because SMS works without data.

I doubt that most of the people that complain about SMS live in rural areas. It seems to be more of a US thing. The country is so large that unless you live in a city you just won't be able to get data reliably. This leaves SMS as the only form of phone communication that isn't a voice call.


Agree, SMS just work, everywhere and always, with every mobile phone.

It's simple, it works with the dumbest of mobile devices, and people understand it.

Even installing and using a TOTP app, and configuring it to work with an online login, is a hurdle that a non-negligible number of users cannot pass.

It's better than nothing.


Can my website send 2fa tokens via iMessage?

I don't know anything about the technical details with this, but I wonder why mobile service providers don't just kill off regular SMS and calling, and start providing service exclusively through data connections? The infrastructure for that old stuff can't be free for them, there must be some significant costs associated with it.

Maybe Starlink will be able to provide a mobile phone service that only offers a data connection one day, and that will be the "disruption" the mobile industry needs.


As far as I know, newer cell phone standards only define how to transmit data. Phone calls are simply layered on top of that.


Facebook didn't even change user Ids. You can look up those people accounts to find even more information. It is crazy they got away with it.

> Sender can be spoofed

Is this worldwide or US? I for now trust the senderid and assume them to be valid if they are coming from bank etc. I also haven't heard of anyone spoofing SMS. Should I be more cautious?


Never trust caller ID or senderid on phone calls or SMS.

The reason is that phone companies interoperate grudgingly and do the minimum required to pass calls and messages between each other, and also most phone companies are 100+ year old companies who have just layered modern tech on top of their old stuff.

They handle a massive unending stream of calls/messages and they can't possibly validate each one (even if they wanted to), so when a call comes into your provider (mobile or land line) it comes with all the metadata fields (sender, etc) populated, and your provider just passes that along without any verification.

This was less of a problem with there was a reasonably limited number of phone companies (a few per country) and they were all large enterprises..

Now with the rise of Twilio and tons of other pay-as-you-go companies that can hook into the global phone network to send calls and messages, and MVNOs (virtual phone companies that sit on top of the incumbent ones), there are too many players to track and in the name of convenience (and cost-savings) we haven't kept up with the verification part of the chain.


>they can't possibly validate each one //

Why not?

They don't pass on all metadata, that's part of the problem. If a call originates in $foreign_country, the sender gets to spoof it as a local call (sometimes they even use your own phone number). Are you really telling me there's no way to tell the difference between an off-shore call and a local one. It seems if this were true that billing is impossible, yet somehow the origin gets billed (though admittedly that might only be the immediate upstream, but usually this will be enough to disambiguate a scam call).

Phone companies make money from scammers. It doesn't seem to be a technical bar, rather a financial disinclination that stops phone companies from robust action.


Major telcos are anywhere from 70 to 100-year-old companies generally speaking. Most of them are the result of haphazard mergers between many many local phone companies over their existence, so even internally they are often held together rather precariously.

I'll give you one simple example of the magnitude of this. In Ontario & Quebec, Canada, in the 1920s, there were almost 800 local phone companies operating, and "The Bell Telephone Company of Canada" was the long-distance provider that connected all those companies together. Even back then they handled almost 3M long distance calls per day (from roughly ~500,000 phones).

Over time, Bell bought up all those local independent companies and merged their records, customers, infrastructure, operations, etc..

That's Ontario and Quebec only, 2 provinces out of 10.

Fast forward like 60 years and in Canada local/regional phone companies in various parts of the country were still a thing in the early 1980s, and even now we still have distinct phone companies for some of our provinces.

And this is just one country that has less than 40M people. Now repeat this process in the US, and other parts of the world, going back almost a century, and you can start to understand the complexity we're dealing with here.

The insanity of these merged and glued-together tech stacks would make most people faint.

Obviously they're not all still running on super old tech, but if you look at any major incumbent telco's DCs you will commonly find switching systems from as far back as the 1960s that have been wrapped in layer after layer of "modernization" but are still there routing calls and running old code.

I know you believe what you are saying is "simple enough", and it probably should be, but sadly it's not.

And while you're right to say it's a cost thing, it is also a technical problem in that it would require massive coordination both internally within telcos but also between companies that are competitors to each other, and aren't naturally inclined to work together in the first place.


There are valid use cases for spoofing caller ID.

It’s been a long time since I dabbled with Asterisk (IP PBX), IIRC, by default the call forwarding/redirection function uses metadata from the original incoming call. Let’s say, you’ve programmed your PBX that after 30 seconds of incoming call ringing, you want to redirect/forward the call (that is to make a new leg, and then connect them together) to your mobile phone number. I’m pretty sure, on your mobile phone you’d want to see the original caller’s number for incoming call, not the PBX’s phone number.


We have STIR/SHAKEN but the phone companies are dragging their feet on implementing it.

Yes STIR/SHAKEN is supposed to be in place in like 3 months...

I'm curious to see if it rolls out as smoothly as we hope.


We heavily use programmatic SMS sending at work. There are two options how it could appear on the recipient's end: as a normal phone number, to which you can reply,etc. We had to purchase a dedicated number for this. The other option is to simply put whatever sender ID you want- we use company name.This way you can't reply to the message,so we mainly use it for marketing purposes. Nothing stops me from replacing <company_name> with <random_number_belonging_to_bank>

> Is this worldwide or US?

Worldwide. SMS is just like e-mail, you can put anything you want in the sender field. You should absolutely not trust SMS.


Actually, I trust e-mail more than SMS. With e-mail at least you can look at the headers and if you know which part you can trust you can verify where it came from. With SMS there is no such possibility.

Any idea on the extra security measures? In Turkey for example, when you change your SIM card the 2FA from the banks will stop working and you need to call your bank to re-activate it. That of course seems like a measure to prevent SIM cloning but maybe there are some security protections against spoofing. In many places SMS is a popular way to do payments and 2FA for high security applications.

Carriers can indeed expose APIs for banks and other third-parties to check if a SIM has recently been reissued, but that's a separate problem from spoofing.

Where does SMS get used to do payments? (...and how?)

SMS for 2FA is known to be a very bad idea, and some security experts have been shouting about the need to stop doing that for a while.

I also can't see any country managing to implement more restrictions on SMS without either breaking a lot of "legitimate" sources of SMS or being ineffective outside of a very narrow window (e.g. only blocking forged SMS for numbers originating within one country)


"Where?!" Everywhere. It's being phased out in many places, but as a rule of thumb, mostly everywhere still.

"known to be very bad ... been shouting ..." Right, yeah, to put it in some perspective remember that you're talking second factor here. This is not your login, this is a secondary confirmation and you still need some serious motivation to bypass it. It's definitely doable, I work in security and I know what kind of attacks you're thinking of, but it's not the opportunistic kind of thing that a common thief will do without technical research and planning it out. If you know how to do it, you can probably find better jobs than this. It also doesn't scale well because you can only use it on people whose bank login you've already cracked in the first place.


I'd never seen or heard of it being used for payments before, which is why I asked - I'd heard of phone numbers being used as account names (effectively) in some payment systems, but being involved in the workflow of making payments is entirely novel to me.

I'm aware it's not your login, but it feels the same as asking someone for publicly searchable information to "verify your identity" - an additional "security" step that doesn't actually slow down any attacker more dedicated than a passing whim, but makes people feel good about whoever is using it, when there are better options that don't have the problems of SMS.

Yes, it doesn't scale well to bulk attacking, but most of my interactions are with people who take reasonable precautions like keeping their machines patched, not installing random crap from the internet, and generally avoiding other fun ways people get swept up in low-hanging fruit campaigns.

SMS 2FA is better than no 2FA at all, it's just frustrating to watch many companies deploy it and go home when there are better options, some of which solely also require a phone.

edited to correct my statement: I originally said "SMS 2FA is better than no 2FA at all in a number of cases", but no, I'm pretty confident it's strictly better, even with all my laments about it.


What better options are there that have approximately the same ease of use?

SMS works with every conceivable phone, even most landlines if need be, users don't have to install a separate authenticator app, which may require a Google/iCloud password (now where did I put that post-it note?), that takes up space that may be scarce on low-end phones and that may not even be compatible with very old phones, leaving affected people in a really unsatisfactory spot.

Then they need to set up codes for every login, figure out how to switch back and forth between apps and how to copy codes, which is not very discoverable at least in Google Authenticator – most people seem to memorize and type instead, cumbersome.

Hardware tokens are even worse, people misplace those a lot and unless you are a bank with a mature process for issuing these, setup is probably even more of a hassle.

All of this may be big deal if you (also) target less technical people and want them to use your product when they have the option not to.

With SMS, all the user needs is a phone number. Pretty much everyone is familiar with that, most will readily share it, too. iOS will even extract codes and show them on top of the keyboard, just wait a second or two and tap the code, done. It's about as painless and frictionless as it can reasonably be, with apparently relatively inconsequential security drawbacks – given it's supposedly trivial to fake SMS, there don't seem to be a lot of people doing so at scale. Maybe a breach like this one will finally change that? Remains to be seen.

For now I can totally see why one might stick with SMS as a second factor.


> users don't have to install a separate authenticator app, which may require a Google/iCloud password

If they wish to use Apple then that is their own choice, but on Android it's quite trivial to download Red Hat's open source authenticator app[1] from f-droid (the website, you don't even have to install the store if you don't want that). It's quite bare bones on graphics and features, doing only what you need it to (the f-droid build is 0.5MB, frankly still large for what it does but consider that it's like half of a single photo).

And if people don't have a phone with support for apps, then you can still fall back to SMS. Doesn't mean you need to force everyone down to that level.

Fun fact: my grandpa can't use SMS either, your solution is not as universal as you make it seem. He never has been able to due to sight issues (it's not an age thing, though it doesn't help if you're close to illiterate and now need to start to learn how to use solutions for sight-impaired people due to this information age having onset). Does that mean we cannot support anything better than sending a letter, which is accessible to him as well? Can't we have the better solution as well as the accessible one?

[1] https://f-droid.org/en/packages/org.fedorahosted.freeotp/

> With SMS, all the user needs is a phone number.

No no, you got that backwards. All Facebook needs is your phone number, or whoever it is that pinky promises to only use your phone number for security. I get what you're saying about everyone having a phone number that you can identify them by, but that is also the issue: everyone has typically a very very limited amount of phone numbers (and typically linked to a government ID) whereas a throwaway email is easy to make and each TOTP code is throwaway by design. I think there's something to say for supporting this.


> If they wish to use Apple then that is their own choice, but on Android it's quite trivial to download Red Hat's open source authenticator app[1] from f-droid (the website, you don't even have to install the store if you don't want that).

That's even less intuitive than using the default app store. That's a whole new slew of concepts you need to grok (you can download an app from the web and install it without an app store; what is this fdroid thing? is this a virus? what do these dialogs mean?), plus training people to do this without also giving them the knowledge when and why this is safe isn't exactly helpful, but that's a lot to ask from a simple sign-up flow for a hypothetical niche app built by a hypothetical two-person team.

> And if people don't have a phone with support for apps, then you can still fall back to SMS.

You can, but that adds to the complexity and support burden and probably also costs you users due to sign up friction.

> Fun fact: my grandpa can't use SMS either, your solution is not as universal as you make it seem. He never has been able to due to sight issues (it's not an age thing, though it doesn't help if you're close to illiterate and now need to start to learn how to use solutions for sight-impaired people due to this information age having onset).

That's an interesting case. I'd like to think there would be a fallback for people like him, but I guess, in the vast majority of cases, he'd just be left out. The current state of inclusivity in tech is abysmal, though I've seen vision-impaired and deaf people get around their devices surprisingly well; it's still an embarrassment that this industry won't do better. It's hard to get this right when it should be hard to break this, but current frameworks and paradigms don't prioritize this. It's shameful IMO.

I do think SMS is a lot more accessible than authenticator apps and the like, even though that still will not work for everyone.

> Can't we have the better solution as well as the accessible one?

I'm not saying you can't or shouldn't offer the best solution you can. By all means give me Yubikey support and several fallbacks. But I can see quite well how not everyone might want or be able to.

> No no, you got that backwards. All Facebook needs is your phone number, or whoever it is that pinky promises to only use your phone number for security.

Facebook definitely should get rid of SMS factors. If anyone has the resources to do much better, it would be them and the other giants. Not sure how they handle that, though. They'd still collect phone numbers in any case, but they'd happily image people's internal organs if they could, so that is a separate issue.

Apart from that people seem to be quite happy to use their phone number for signup if it makes signup quicker and less annoying. Even if the primary flow is email and alternatives are hidden in another tab, phone number still tends to get used a lot, in my limited experience. Same with Facebook/Google login.

Plus, for most people ai guess it isn't as black and white; in quite a few cases I've given my phone number even if signing up via email, because it helps a lot if people can just call me in case of issues (e.g. the restaurant is out of my extra topping).

That said, I'm all for offering as much choice as possible, and I'm not happy with the inflationary use of phone numbers as the only way to sign up, and I'm all for Yubikey support in every app, and it's disappointing that OS/browser vendors don't make this easier and more convenient, and if anyone wants to let me have as many anonymous phone numbers as I need, I'm very interested.

But, still, I can totally see why a resource-strapped product/dev team might come to the conclusion that SMS second factors are sufficient for now.


> it's just frustrating to watch many companies deploy it and go home when there are better options

I do agree with you there. To be clear, while I think the problem is of a smaller magnitude, I do agree with your general point. Other alternatives like very simple TOTP tokens additionally don't require a phone number and so you don't have this stupid "add your phone number now, we'll use it only for security, pinky swear!" prompts.

Heck, there could even be an argument that SMS OTP is now illegal with GDPR unless the user gives explicit consent. You can't use user data (PII) if it's not with consent, for a legitimate purpose, to fulfill a contract, for the user's own good, to comply with law enforcement, and I'm probably forgetting one or two reasons. Now that it's clear that stuff like TOTP is a better alternative, there is no reason to process people's phone number anymore for this purpose, making it impossible for you to send that SMS OTP. (Of course, you'd have to convince a judge that TOTP is better than SMS before we actually get case law on this specific use of a phone number so... *mumbles something about nine-tenths of the law*.)


> Where does SMS get used to do payments? (...and how?)

Look up M-Pesa[1]. Which is a hugely successful, mobile phone based payment system in multiple countries.

In Kenya alone, where it started, it had 17Million subscribers. In 2011, that was.

[1] https://en.wikipedia.org/wiki/M-Pesa


> Where does SMS get used to do payments? (...and how?)

In India, for every card transaction, for every DMAT transaction, for every password/PIN change SMS is used as 2FA. It is also mandated to require SMS 2FA for every one of these cases.

If my bank has any means to use TOTP/Yubikey, it is absolutely not made obvious, led alone clear or even possible.


Okay, so SMS gets used as 2FA for all those things, not somehow a primary method of creating transactions, correct?

Unfortunately, quickly looking, [1] suggests at least one of the listed services for sending arbitrarily forged SMS messages explicitly works in India, so it seems like this is still true for you. :(

[1] - https://www.usethistip.com/5-websites-to-send-anonymous-or-f...


I'm pretty sure Italy requires a company to register to an official list before being able to put a personalized sender ID in your SMS communications. I'm not sure about the inner workings but seems far from "whatever you want".

I kinda assumed this was a widespread modus operandi, apparently it's not?


Are there Android apps for that?

I'm absolutely no expert on this, but I think your provider would usually filter this spoofing attempt out, just like with IP spoofing. But if you're in the right spot in the network (e.g. your provider doesn't check for spoofing or you're your own "provider") you can do whatever you want.

Another problem with Android could be that the operating system might not have enough control over the SIM-Card/Modem to spoof phone numbers.

I have heard about people using some services to send/call from spoofed numbers though


Hushsms is one, but requires Xposed Framework.

Does that let you spoof sender address on any phone? I was under the impression that you had to create an account with a SIP provide to do that.

(Btw a Google search for "Hushsms" results in shady/cancerous app stores that all seem to mirror each other. Where is the official website/thread?)


Absolutely do not trust the SMS sender name or message content in any country. SMS can be spoofed so easily anyone can do it.

I can confirm this happens in the UK.

This is probably overkill to say but to be sure:

Never trust any information from SMS, or from a telephone call (or email) - both SMS and CallerID can both be trivially spoofed, and frequently are.

If they have e.g. found out what bank you use, they can make the number look like it came from your bank ("See, this number is listed on the back of your card" is a common approach)

If you get a call or SMS requiring followup, then look/ask for a reference number and a publicly listed number you can call back on - _and verify this number is listed on the organisation website before calling_, ideally on a telephone you know they can't "hold the line open" on (less of a problem now people mostly don't have landlines). It's okay to "engage" with a caller as long as you are careful to not give up any personal information - especially in cases where it's a bank they should be fine with you refusing security until you can call back.

Don't ever relay information between channels e.g. if you _think_ you are talking to the bank, don't relay the contents of a 2-factor SMS you get, even if they say they are "sending" one to you. There have been cases where scammers have called the bank at the same time as calling the mark, so that when the scamee called the bank on a different line the bank verified that "they" were on another line.

In reflection, it's kind of crazy the things you have to be suspicious/paranoid and aware of, I'm not surprised that even competent/intelligent people get scammed, it often seems that the infrastructure that we rely on for trust is even flimsier than you could imagine.

Probably there are more extreme cases where these general rules aren't enough but probably unless you are a big CEO or something you are below the targeting threshold (see e.g. https://nakedsecurity.sophos.com/2019/09/05/scammers-deepfak... which will probably only become easier over time). A healthy skepticism about complicated workflows is probably helpful.


Could someone elaborate on what the worst-case exploit would be for those number that got leaked? How would a scenario look like? Asking for a friend whose number got exposed...

It's still going to be a scam message, but they can use your Facebook ID to see everything public on your profile now, as well as the other fields in the leak like full name, location, bio, birthday. So whatever the most convincing scam message somebody can come up with is combining all of that data. Off the top of my head, "happy birthday here's a gift from us" messages from companies leading to phishing pages and personalised fake register to vote pages relating to upcoming elections in your area.

It's not really new data, it's just scam SMS I've received in the past has never shown any sign of knowing anything other than my phone number. Now you can buy phone numbers and pull personalisation data unrestricted from your copy of Facebook's database for each of them. I'm sure sophisticated scammers already were, but now everyone will.


Birthday is a form of identity verification too, for password reset.

None of the birthdays I enter are real. :P

and no one should put real birthday lol. Birthday is mostly used for targeting ads.

This is why facebook can say to advertisers, "We mostly have young people using our service. So please put your money on our company"

And yes using account of 60-70 year old always receives less ads :D


They have to be consistent, yes? If I enter 6/7/1989 everywhere they just have to get it once.

I use different ones for each account and write them down like passwords if it somehow ends up being a hint for password recovery etc.

My university is known to offer the option payment of tuition through a popular online system. This option is done by sending each student, at the start of the year, an SMS with a link to a payment option.

Suppose you can get a list of people studying there, their names, and their phone-numbers. Faking this SMS and putting a payment that goes to you instead of uni would be a nice way to earn about 2000 euros per student who falls for it.


> My university is known to offer the option payment of tuition through a popular online system. This option is done by sending each student, at the start of the year, an SMS with a link to a payment option.

They don't email this information? They don't put it on an online notification system? I have no idea why SMS seems like the logical option for this.


Kids are more likely to text, less likely to email these days. I can understand why they’d use SMS for their target demographic.

That doesn’t justify the security implications of doing this...


Do kids still text or is that a generation or two removed from the current iMessages/WhatsApp/Signal/WhateverComesAfterSignalBecauseImOldAndDontKnow?

I'm sure they'd prefer to receive notifications from their university on WhateverComesAfterSignalBecauseImOldAndDontKnow, but I imagine that SMS is the 2nd best thing (and probably still generates eye-rolling about the university being old fashioned).

But then you're stuck logging into the payment portal and filling out the form information with your phone, which is my own personal hell.

Oh, I'm with you. I'd much prefer to pull this up on a real computer so I can efficiently fill things in. I've adapted to typing on glass with my thumbs, but I'm not very good at it.

I do not know why they do this. I really wish they would stop.

I have considered faking the SMS message, with the payment link saying "imagine this wasn't a warning message but an actual payment request, please tell the university this is unsafe". But sending that kind of mass SMS is not easy, nor is finding the correct phone numbers.


The email option is arguably an easier (cheaper) attack vector than the SMS messages would be.

Yeah, I thought of that after I wrote it. Send it to all the university accounts you can get your hand on, see who you catch. It's probably just personal preference showing through as well, as I wouldn't be comfortable paying with my phone. I also have no idea how people substitute their PC with an iPad or phone. Much harder to fill out a page of fields and navigate around, and I'm sure that Google Pay won't support $15,000 payments.

If your phone is your 2fa, someone uses this data to target you for a sim-swap to take over your phone, and then uses it to take over high value accounts.

What some spammers do in my country for example, is call old people and pretend their (grand/)children were involved in an accident and ask for money for quick interventions (the hospital is out of funds, bla bla). It's sometimes hit or miss cause the person might be next to them, or they just talked, or sometimes they can't figure out if you have a daughter or a son etc.

With a correlated leak like this, it's super easy for me to find your profile, see who you are, what you look like, even from just your profile picture I could potentially see you have a daughter yourself, so I can target your mother that something happened to her granddaughter and you, which would make her pay up even faster possibly.


  > This huge leak has definitely killed the
  > SMS text messaging service.
So with this breach, one now must use WhatsApp for messaging contacts? That is rather convenient for Facebook.

As someone who has much friction already convincing people to use SMS with me instead of the WhatsApp account that I've never had (nor a Facebook account), making SMS even more problematic is great for Facebook. Many people assume bad intentions or some other undesirable status when telling them that I don't have WhatsApp and that I'm not willing to install it.


The reason that Whatsapp massively took off in certain parts of the world, and to an extent even replaced the public-telephone system (e.g. restaurants and other local businesses may even want to be contacted by Whatsapp, not phone), is because SMS is expensive, but data is not. Sure, you might be in a part of the world where SMS is a viable option, but for many people it no longer is, and instead of asking for SMS you might suggest an alternative like Telegram or Signal.

I've been trying to get people to use Telegram for years. For whatever reason, everybody wants to hear why Telegram is acceptable to me but WhatsApp is not, but they are not patient enough to even try to digest the answer in the majority of cases. And people will install any privacy-invading games or icon packs with no problem, but not another instant messenger. I have no idea what is behind this phenomenon.

This leak is putting people's lives at risk.

What is truly damaging about this breach is that it allows for bidirectional mapping of phone ⭤ name (and often location, since the data can include town/employer).

The risk is much bigger than "I'm going to get more phone spam."

Examples:

- An abusive ex/stalker type can now search by name and find his ex's phone number and maybe even city/town.

- Have you ever dealt with an irate person via phone? (craigslist deal gone wrong/creepy, for example). This person can now know your name and even photo since the leak includes your fb id.

I am certain that both of these things will happen in the next few months or years. If privacy changes are to happen at the legislative/personal responsibility level, it would behoove an organization like the EFF to find one such case and use it to sue the living daylights out of FB. I think it's also worth mentioning these sorts of risks instead of focusing on "spam".

Unfortunately, even if that were to happen, we'd end up with a moral panic, which almost always ends up punishing the wrong people. What we really need is a change in the kinds of data that are allowed to be kept, and a change in data/identification infrastructure.

Things like:

- The creation of a standardized & subsidized token/OTP platform. In the US for example, you should be able to go to the post office and get a NIST approved token generator, which should be mandated to be used by all banks and replace SMS and SSN as authentication.

- A pseudonimity middle-layer (ie, Stripe for Privacy). For example, when I buy a t-shirt online, I should be able to simply give the merchant my pseudonym, and they shouldn't store my actual name & address. If they want to store that there should be much much higher data protection requirements.

This infrastructure should be free market but with a "public option" in order to prevent oligopolization of these services.


Seriously. I downloaded the leaks to see if any of my family members were included, so that I could alert them to watch out for targeted scams.

But of course I couldn't resist grepping for a few other things. For example, there were about 25,000 phone numbers, emails, and names of single people in my home city.

The same info is available for about 180,000 US-based people who list Facebook as their employer. I sure hope that nobody takes it into their head to complain about the breach to those people!

It is hella creepy that anybody can search through such a vast quantity of extremely personal information so easily. But this is also a predictable late-stage result of mass-scale social media use.


All of your solutions are currently possible on the blockchain.

>The creation of a standardized & subsidized token/OTP platform. In the US for example, you should be able to go to the post office and get a NIST approved token generator, which should be mandated to be used by all banks and replace SMS and SSN as authentication.

DeID

>A pseudonimity middle-layer (ie, Stripe for Privacy). For example, when I buy a t-shirt online, I should be able to simply give the merchant my pseudonym, and they shouldn't store my actual name & address. If they want to store that there should be much much higher data protection requirements.

Deid, paired with the fact that i don't give them anything. I send them the money instead of giving away my information. This is a key distinction. When i pay for things with my credit card, I am swiping my card, they are saving my information and running my card. Sending them money, with some DeID to acknowledge receipt is entirely different. Instead of them 'Taking', I am 'Giving'.

Also, the Deid can come with a parsing function that 'Shares' the keys to your address and name, without the ability to capture your information. It works directly with the EDI to provide the 'keys' to your address but never allows them to store it.

>This infrastructure should be free market but with a "public option" in order to prevent oligopolization of these services.

Polkadot and many other cryptos with governance is also solving this problem.


The "real names" myth was the biggest scam played against people in the past 15 years. The media are also wholesale responsible for perpetuating that damaging trend. Historians of the future will look at the past 2 decades with disbelief.

Yeah, it’s fine to have some public facing content online, but the first thing a child used to learn before going online was to never use your real name and to never give out any personal information like your address and telephone number. At least that’s how it was where I grew up.

I remember when Facebook launched I had a visceral reaction after seeing all the content being shared out in the open. My dad didn’t even want our phone number in the phonebook, and now I saw everyone else sharing every detail of their identity online.


I started using my real name online when I realised it was better than things that I control come up when you search for my name, rather than whatever someone else posted online with my name next to it.

My first online social experience was Usenet in the 1980s. It was very common for people to use their real names (though certainly not everyone did). My university encouraged real names, the rationale was that if you use your real name you will be more courteous, and only say things that you would want to be associated with. It's much easier to troll and engage in flamewars and generally be an asshole if you do it anonymously.

What's the 'real names' myth?

The idea that using your state-given name online is beneficial.

What is a state-given name?

Presumably your birth name given to you by your parents. Describing it as "state given" seems intentionally misleading...

It should be called "state-recognized".

The state does not give you name, but it registers it and uses it to recognize you in various situations. Usually the name is not enough to identify a person (and fun/disaster ensues when this is attempted) so, usually, more information is needed to identify a person.


It should probably be "legal" name. https://en.wikipedia.org/wiki/Legal_name

The thing on your birth certificate.

Your "real name" (all names are real)

Scam? That assumes deliberately misleading people for the scammer to benefit. Who exactly is benefiting from this?

While I don't agree that it's obvious even now that that using real names is damaging (i.e. makes things worse than anonymity/pseudonymity) the assumption that it's a scam goes 100% against Hanlon's razor.

It's pretty easy to claim that using real names online does more harm than good when pointing at a data leak but we should also consider the opportunity costs, the outcome of the alternative scenario. I'd say that all the fake and troll profiles show that anonymity makes people behave in a way that's damaging to online communication (and hence is a lot, maybe most communication is online these days, all communication). You can say that fake profiles are there anyway, which is true, but it still doesn't mean that everyone going anonymous wouldn't be a lot worse. So at best it's an undecided question as opposed to being a deliberate scam.


Real names were facebooks selling point. 'Join in, all the friends you know by name are here, upload your entire phonebook to us, look everyone's doing it'. Facebook's quick growth made billions and billions to some of people

> Who exactly is benefiting from this?

Facebook.


Why notifiy? Victims got notified everyday with many spam-sms. Thanks Facebook!

Because I would really like to know if I'm affected. According to "Have I Been Pwned" my phone number is not in the list, but about one or two weeks ago I noticed that my spam folder was unusually full, which led me to believe that something new must have happened. Shortly thereafter Facebook's leak hit the news.

From my point of view it is their obligation to notify all the affected users. It's morally the right thing to do, and legally, well, I don't know, but maybe the GDPR says that yes, that it's their obligation to do so.

And with notification I mean to send a notification email, since I haven't logged in for months and don't intend to this year.


Just assume the answer is yes. If you are active online at all, you're in a breach somewhere. In fact, you are likely in a breach even if you are not active online (in a state/federal government data breach for example)

The leak did not include email addresses, so your email spam issue is unrelated.

According to haveibeenpwned.com

> whilst each record included phone, only 2.5 million contained an email address


That's not true, many of the accounts did have email addresses.

The only email addresses in the leak are of those who have specifically set their email address to be public on their facebook profile.

Newer Android versions have an SMS spam folder as well, they might have been talking about that.

It did include email addresses in some cases, just not all of them.

Ah, thank you.

Guess it's too hard to notify users that their information got leaked. I hope they reported to all the different institutions in Europe though. The article suggests they didn't even report it to the Ireland one!

Are you seriously claiming it's too hard? They could send out emails, Facebook messages or show some banner in the profile page.

This is Facebook ffs, they almost have a monopoly on communication.


Not our parent claims it's too hard to find the users affected by that breach, Facebook does. Curiously. Quote from the source article:

> The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified.


Did they not see the user ids in the leak? Just do facebook.com/user_id and you got the person...

> too hard to notify users

Legally seen.

The way privacy protection laws are, especially in Germany, is kinda stupid. On one side they often doesn't protect you in practice, on the other side they effectively hinder and sometimes prevent reasonable usage.

Just a view examples:

- A local government couldn't properly inform elder people that they now can get Vaccinated for free because the interplay of various privacy protection law (and stupidity/inflexibility in other areas tbh.).

- Germany has a privacy respecting anonymized blutooth based contact tracing app (wrt. Covid). But if you do a test you first have to physical sign of that other people are anonymized informed that someone they likely had contact with has covid, then when you get the result you still need to agree again to share this information. And even this was only possible after changing regulations. (I.e. why is one initial agreement not good enough?)

- The government most likely not being able to inform the victims of such data breaches.

- ...


> But if you do a test you first have to physical sign of that other people are anonymized informed that someone they likely had contact with has covid

This is false. I've been tested about 15 times within the last year and none of the things I "signed" included any of that.

I didn't have to physically sign ANYTHING at all. What are you talking about?? It's just a click field on the online application and that only says that you're okay with your data being shared with the lab that also sends you your test results.

> then when you get the result you still need to agree again to share this information.

This is also absolutely untrue as Covid, among others, is on the list of illnesses that the local Gesundheitsamt has to be notified of. It's not even optional. It's the law. https://www.gesetze-im-internet.de/ifsg/__6.html

Honestly curious where you got that information from?


> I didn't have to physically sign ANYTHING at all. What are you talking about?? It's just a click field on the online application and that only says that you're okay with your data being shared with the lab that also sends you your test results.

If you did register a test with the covid app you had got had to sign something when doing the (not "fast"/PCR) test. If not something was legally not quite right. Also maybe in recent month this might also have been changed but it's unlikely..

> This is also absolutely untrue as Covid, among others, is on the list of illnesses that the local Gesundheitsamt has to be notified of. It's not even optional. It's the law. https://www.gesetze-im-internet.de/ifsg/__6.html

I'm speaking about the covid app, not the health agency, which yes gets reporting always but also (at least at the being of Covid) had a completely inefficient procedure which made the German health agencies in most German states at least at the middle unable to process it anywhere close in time. Like they collecting "people you had been in contact with" 3! weeks after you where found to have covid was not uncommon.

> Honestly curious where you got that information from?

People officially working on the developen of the covid app (there is a ccc talk). And various other sources which also overlap with personal experiences (like yes I personally had to give agreement on paper so that I could use the covid app).

Note that the physical confirmation is kinda hidden on a paper containing all kind of information, so meany people might not have been aware of it.


[flagged]


What I mean is that it's hard for 3rd parties to legally contact people affected by the breach. And in this case 3rd parties includes the government.

They general guideline in the GDPR is 72 hours.

> In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.


I suppose a well meaning spammer could just SMS everyone pretending to be Facebook.

Let me just drop a note here that I happen to have two "unlimited" SMS subscriptions (i.e. could at least notify a few thousand people) in different European countries and that contact info is in my profile in case anyone has... ideas... :-)

Can't edit anymore, but this was not exactly an invitation to email me names and phone numbers to text. I don't know the legal implications of sending mass unsolicited messages to people whose phone number I obtained through downloading questionable data.

If you really want to warn people and you have a plausible explanation for the legal basis on which we're doing this, then I would definitely be able to contribute resources to your cause.

But also, frankly, they put this info there and configured it to be public themselves. Doesn't mean they don't need to be warned about this misconfiguration, but it's quite different from if there had been a data leak caused by facebook that facebook isn't telling the users about. I don't feel the need to drop what I'm doing and spend a couple days looking into the legal status, coming up with a good narrative / what to text them, gathering other people, figuring out how a regular human being can send hundreds of text messages without doing custom app development (if avoidable), dealing with the aftermath...

TL;DR: if you cleared the list of todos in the previous sentence, then my resources you shall have.


Question: is it legal to download these files to see what data is leaked about yourself?

My issue with haveibeenpwned is that I don't know what's leaked. Note, I'm super happy with the fact that the service exist because I'm happy with the fact to know who of my social circle is in it, so I can notify them. But I don't know exactly what's leaked.

Are passwords leaked, for example? What about my social info is on there?


> Compromised data: Dates of birth, Email addresses, Employers, Genders, Geographic locations, Names, Phone numbers, Relationship statuses

Assume these columns are compromised. As a general rule it probably doesn't hurt to change the password and any you've reused.


It's from 2019 is the stupid excuse they have.

The amount of laxity they have shown in this matter is appalling!!


If you change your DoB every year like I do, you'll be fine...

I took the habit of treating the DOB like a password when asked by an entity that has no business knowing it. I give a random date and keep track of it in my password manager.

Assuming not sarcasm, how does that help? Do you do this for just Facebook or for multiple websites?

I use a random DoB for every website.

(The only exception is banks because it has to match what's on my ID and credit report)


You assumed incorrectly :)

I don't have an account, but I'm fairly sure Facebook doesn't let you edit it once you've given it.


The leak didn't include DoB.


Did they notify people about it 2019? Does GDPR, CCPA, and other similar privacy laws have a statute of limitations? [0], [1], [2]

[0] https://ec.europa.eu/info/law/law-topic/data-protection/data...

[1] https://www.oag.ca.gov/privacy/ccpa

[2] https://en.wikipedia.org/wiki/Privacy_law


I love how the reasons to delete social media keep on growing.

With someone's number you can very easily get a rough idea of where they live. I can imagine the living hell this creates for Domestic Violence survivors and others escaping bad situations.

On the flipside I plan on spending my weekends phone free, only carrying a small FM radio to play music.


>With someone's number you can very easily get a rough idea of where they live. I can imagine the living hell this creates for Domestic Violence survivors and others escaping bad situations.

Wait until you learn we used to collect everyone's name and phone number and often even their address in big books that just anyone could read. You could even have them delivered to your doorstep.


Someone should get the leaked data and notify everyone. It does contain contact information after all...

If you mean by email, good luck not getting blacklisted as spammer everywhere. Maybe the likes of Microsoft and Google could bother to "notify" their users without such a fear. But there are other considerations.

Isn't it just scraped public data? Calling it a leak for data that's public seems odd.

The data isn’t public. It’s based on the friend finding feature. If you fill a contact list with phone numbers Facebook will automatically suggest the person with that number as your friend. So if you make a contact list with all possible phone numbers, you can know who they belong to.

My twitter account got flagged as suspicious even though I haven't used it during the past few months and have a long random password. Now they want my mobile number to "verify" me in addition to a captcha. It is ridiculous and ovcoiolsly tech companies can't be trusted with personal data of that caliber. I have never used my real name with that twitter account and now they want to know it all, why? Greed is my guess.

Discord asked for 'phone verification' yesterday after failing to sign in successfully a couple of times. If they didn't have my phone before, how will having it now verify anything?

Nope. Account disbanded.


It is a strange thing to consider how we view privacy these days. We share so many things and allow our privacy to be invaded in ways that would shock people 30 years ago.

On the other hand, everyone used to get a book delivered to their house every year with the information that is contained in this leak. I remember when you were considered a bit of a crank if you had your number as unlisted in the phone book.


The reaction here is why I start losing faith in humanity.

This "leak", has been blown way out of proportion. This leak, if anyone has actually bothered to look into it, will tell you there's very little available of value. For instance, there's no password.

There's about 2.5 mil emails that for all likelihood, it's already out in the wild. For the phone numbers, you can just robo-dial, (there aren't many to be found mind you). For everything else, they are data that the users have set public on their profiles, so they are meant to be seen, and you can readily search for them on Facebook already.

ALL THE LEAKED DATA WAS PUBLIC.

Do better HN.


I am surprised how the Facebook stock is pretty unaffected by all of this.

I own some of their stock and I keep buying more. Reason: FB is doing a great job with advertising and they are not just Facebook but also Instagram and other things.

Counterpoint: Facebook is taking your invested money and doing terrible things with it. Why fund that?

It's priced in.

/s of course, but maybe people really don't care because FB has been in so many of these types of controversies?


They are subsidized. Stock may not be best indication of the performance of the company.

That’s the problem with free ad-based media giants. For an individual, the deadly combination of the platform being large enough, free and closed (no APIs for feature-complete third-party cross-platform clients) means a huge barrier to switching over to a different social provider with better ethical, infosec and privacy track record—and all the while company’s interests are aligned with ones of the advertisers, the actual paying users. Stock performance, of course, reflects that.

> Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.

From here https://www.dataprotection.ie/en/news-media/press-releases/d...


Thanks for posting the only useful addition to the thread. :)

So the authority is still looking into it. They could still reach an agreement with Facebook on what to do. Then Facebook would probably be shielded from whatever liability those actions would supposedly cause (their excuse "we might make mistakes"), because "we were told to".


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: