[coatmatter]

Non-technical speculation, but based on my own experience as an ordinary Facebook user:

I'm increasingly confident that this breach/leak has come about mostly through the privacy search setting (buried in Facebook's privacy settings - https://www.facebook.com/settings?tab=privacy -) which allows "Everyone" to search for a number in order to find your profile if so enabled.

This is a bit like an option that PayID/Osko (instant bank transfers) in Australia allows - one could bash through random mobile numbers and discover more information than just the number. I've always found this option to be creepy because I don't people who might otherwise have my phone number legitimately to be able to facestalk me.

Please note that this is separate to displaying contact info publicly on one's profile page - yes, there is a dizzying array of different privacy settings on Facebook. Would Mark Zuckerberg provide have ever displayed his phone number publicly? I doubt it. But would he have allowed others who already have his phone number to search for him on Facebook? I'd say almost certainly yes.

I used to use Facebook more than I like to admit and I have provided my phone number to Facebook in the past, yet have managed to avoid being in this breach, whereas some people I know are in the data set. This means I'm quite sure that I'm not returning false negatives with the search.

[hendersoon]

Only ~32m of ~190m US FB accounts were in this breach, so it's not surprising if you live in that country and are not in the breach.

[ehsankia]

Looking at the full breakdown [0], a bunch of middle eastern countries have near 100% breach. It seems like they were the target, and all the other countries were just collateral damage maybe? Canada, US, UK, all sitting around 10-20%.

[0] https://datastudio.google.com/u/0/reporting/afa08373-621e-4e...

[coatmatter]

Facebook has released an official statement which appears to confirm my suspicions about how the data was more or less obtained (i.e., via number search): https://about.fb.com/news/2021/04/facts-on-news-reports-abou... (relevant discussion at https://twitter.com/troyhunt/status/1379579465148157953).

But I too noticed the breach rate in the Middle East seemed unusually high, except my initial assumption was that perhaps the way Facebook was introduced there led to different behaviours in how one finds each other on Facebook. Perhaps it could be even something as simple as small differences in translation that lead to different behaviours when it comes to setting up a Facebook account.

The reason this is my initial hunch (rather than any kind of targeted campaign) is because different parts of the world interact differently with different communications platforms. For example, iMessage is very popular in USA whereas other parts of the world favour WhatsApp, or Telegram, or WeChat, etc. Is there any one concrete reason why one population might choose one "less secure" app over another "more secure" chat app/social network? I'd say probably not and yet, we see large variations depending on which border surrounds a user.

So perhaps a similar 'benign' explanation could explain the high breach rate in certain countries. Perhaps phone numbers are treated differently there too? Other than that, I have no idea. Unfortunately, I know very little about the Middle East let alone the languages there, so this is mostly just a guess.

[ehsankia]

The rates in those countries are way too high to be some optional feature like a messenger. It has to be something that was 100% turned on in those countries, but maybe optional/opt-in in the west? Or maybe they were doing gradual rollout of the feature, and they had rolled out in those countries fully and were at like 10-20% rollout in north america?

[coatmatter]

This statistic isn't applicable to me.