[mckirk]

True, hashes would be completely trivial to reverse, I didn't think that through :D

And you're right, the only way to build a HN-friendly version would probably be to basically do the checking client-side, since any additional information you send to the server could be directly used to narrow the search space.

I think I read that there are some email addresses in the leak though; wasn't HaveIBeenPwned searching only for those, but not for numbers?

[davidjohnstone]

Oh, you're right, there are some email addresses, but not many. In the first 10,000 rows of Australian data, there are 62. I could be wrong, but I think the extra data about users (i.e., location, email address, relationship status, workplace) was scraped from Facebook so it only includes it when it was already publicly visible.

[daniellarusso]

Just brute-force his website’s form with a polite delay between requests and enumerate your own list of numbers!

[davidjohnstone]

I laughed, then had another idea: Rather than send the server one number to check, generate another 99 random numbers in the client and send them all to the server. The client receives the status of all of them and shows the status of the entered number. The server never knows the actual number, and the phone number address space is saturated enough that many or most of the random numbers are also real numbers.

[daniellarusso]

That is similar to how I checked, actually.

;)

[davidjohnstone]

Done.

https://www.thenewseachday.com/private-facebook-phone-number...