Troy Hunt, the Australian security researcher who runs the HaveIBeenPwned breach reporting website, has added the 533 million phone numbers exposed in the Facebook data breach to his site.
That means if you are concerned that your mobile number was part of the Facebook leak that was revealed this past weekend, you can go to https://haveibeenpwned.com/ and connect it.
“I had never planned to make phone numbers searchable,” Hunt explained in a blog post today (April 6). “The Facebook data changed all that.”
HaveIBeenPwned was designed to allow people to verify whether their email addresses or passwords have been compromised in data breaches or data breaches. But most of the exposed Facebook records did not have an email address attached and none had a password.
“There are over 500 million phone numbers, but only a few million email addresses, so> 99% of people were getting a ‘miss’ when they should have received a ‘visit,'” Hunt wrote.
We’ve seen at least one other website pop up that offers to verify your phone number against Facebook data. Since this is exactly the kind of thing scammers could set up to capitalize on a huge public scare, we recommend sticking with HaveIBeenPwned.
Facebook leak: What can you do about it?
So what can you do if you discover that your mobile phone number is part of the Facebook leak?
First, be more careful about spam and scams that target you through calls and text messages. Like landlines of yesteryear, mobile numbers have been effectively made public and anyone can try to reach you on theirs. Don’t assume that because someone is texting or calling you, they know you.
Second, if you have two-factor authentication (2FA) enabled on your online accounts, and you should, change the text message 2FA verification method to other forms of verification on as many accounts as you can.
Texting is not safe. They are not encrypted, they can be intercepted and they can be forged. Businesses use them for 2FA just because most people have cell phones.
The easiest 2FA method to adopt after texting is probably an authentication app, which will generate the same kind of four- or six-digit temporary code on your phone that a business would text you. We recommend the Authy, Duo or Google Authenticator apps.
You can also sign up for push notifications, which Microsoft and Google have gotten pretty good at. If you want to be super safe, buy two USB security keys; They start at about $ 20 online, but you’ll want a backup if you lose the first one.
Each of these methods has its own way of configuration, but each online service that supports them will have instructions on their website.