Troy Hunt, the Australian security researcher who runs the HaveIBeenPwned breach-notification website, has added the 533 million phone numbers exposed in the Facebook data leak to his site.
That means if you’re worried your mobile number was part of the Facebook leak that was revealed over this past weekend, you can just go to https://haveibeenpwned.com/ and plug it in.
“I’d never planned to make phone numbers searchable,” Hunt explained in a blog post today (April 6). “The Facebook data changed all that.”
HaveIBeenPwned was designed to let people check to see if their email addresses or passwords had been compromised in data breaches or data leaks. But most of the Facebook records exposed had no email address attached, and none had passwords.
“There’s over 500M phone numbers but only a few million email addresses so >99% of people were getting a ‘miss’ when they should have gotten a ‘hit’,” Hunt wrote.
We’ve seen at least one other website spring up offering to check your phone number against the Facebook data. As this is exactly the sort of thing scammers might set up to capitalize on a big public scare, we recommend sticking with HaveIBeenPwned.
Facebook leak: What you can do about this
So what can you do if you discover your mobile number is part of the Facebook leak?
First, be more aware of spam and scams targeting you via calls and texts. Like landlines of yore, mobile numbers have effectively become public, and anyone can try to reach you on yours. Don’t assume that because someone is texting you or calling you that they know you.
Second, if you have two-factor authentication (2FA) enabled on your online accounts — and you should — then change the 2FA verification method from text messages to other forms of verification on as many accounts as you can.
Text messages are not secure. They are not encrypted, they can be intercepted, and they can be spoofed. Companies use them for 2FA only because most people have mobile phones.
The easiest 2FA method to adopt after text messages is probably an authenticator app, which will generate on your phone the same type of four- or six-digit temporary code that a company would send you via text message. We recommend the Authy, Duo or Google Authenticator apps.
You can also sign up for push notifications, which Microsoft and Google have gotten quite good at. If you want to be super-secure, buy two USB security keys — they start at about $20 online, but you’ll want a backup if you lose the first one.
Each of these methods has its own way of being set up, but each online service that supports them will have instructions on its website.