[MarcoBuster]

I am a co-author of the site. We are already aware of your concerns about giving out your phone number. The source code is free and reviewable on Github. We know it's not possible to verify what's running on a server but we hope it adds a level of trust. We are currently hashing all phone numbers so we don't have to deal with them anymore. We will keep you updated.

[esamatti]

Hash the phone number in the browser before sending it to your server. That way it is at least possible to verify via devtools what is being send.

Heck. Allow even prehashed phone number to be entered.

[brigandish]

I understand the frustration but they have the data and hence, a rainbow table, sending a pre-hashed phone number is the same as sending an unhashed one, unless the worry is man in the middle, who is just as likely to get the data.

The only way to check without giving up personal info is to get the data and look locally, or perhaps search for so many phone numbers that yours is buried in the haystack.

[bra1n]

That only holds for numbers already part of the dump. If you submit an unknown phone number that is not contained in the leak, hashing it before sending it will increase data privacy.

[social_quotient]

So a rainbow table of just 2.9 billion numbers covers the USA phone set. So I think searching for a specific number clear or hashed are roughly similar exposures. Maybe the right way to search without disclosure is really to filter. Meaning instead of putting in your full 10 digits. You just put in 7/8 and it returns a list of the rest for you to see. Then you visually scan to find your number out of the returned 9999 results.

(Assuming seeing hacked numbers are public already - but I don’t love this either)

What’s a secure way of searching without disclosure by either party? (Non troll question)

[CloselyChunky]

I think HIBP implements it like this: you hash your email/phone number and send only a prefix of the hash to the server. The server responds with a list of hashes matching the prefix. Now you can check if your hash is in the list. If so, you have been pwned. This way the server never knows which email you are requesting since it only ever sees a part of the hash.

[nvoid]

> What’s a secure way of searching without disclosure by either party?

Download the original data set. US records are around a GB file.

[MarcoBuster]

That's what we're planning to do. Thank you

[skytreader]

> Your phone number has not been found in the leak. This is good, but you should be worried anyway.

I, too, am wary of Facebook but to other people, without reasoning provided, this sounds like FUD. Maybe at least link to an article explaining why they should be concerned anyway.

[sabujp]

checking the code i don't see where it's being hashed in the browser before checking the backend yet