Could someone elaborate on what the worst-case exploit would be for those number that got leaked? How would a scenario look like? Asking for a friend whose number got exposed...
It's still going to be a scam message, but they can use your Facebook ID to see everything public on your profile now, as well as the other fields in the leak like full name, location, bio, birthday. So whatever the most convincing scam message somebody can come up with is combining all of that data. Off the top of my head, "happy birthday here's a gift from us" messages from companies leading to phishing pages and personalised fake register to vote pages relating to upcoming elections in your area.
It's not really new data, it's just scam SMS I've received in the past has never shown any sign of knowing anything other than my phone number. Now you can buy phone numbers and pull personalisation data unrestricted from your copy of Facebook's database for each of them. I'm sure sophisticated scammers already were, but now everyone will.
My university is known to offer the option payment of tuition through a popular online system.
This option is done by sending each student, at the start of the year, an SMS with a link to a payment option.
Suppose you can get a list of people studying there, their names, and their phone-numbers. Faking this SMS and putting a payment that goes to you instead of uni would be a nice way to earn about 2000 euros per student who falls for it.
> My university is known to offer the option payment of tuition through a popular online system. This option is done by sending each student, at the start of the year, an SMS with a link to a payment option.
They don't email this information? They don't put it on an online notification system? I have no idea why SMS seems like the logical option for this.
I'm sure they'd prefer to receive notifications from their university on WhateverComesAfterSignalBecauseImOldAndDontKnow, but I imagine that SMS is the 2nd best thing (and probably still generates eye-rolling about the university being old fashioned).
I do not know why they do this. I really wish they would stop.
I have considered faking the SMS message, with the payment link saying "imagine this wasn't a warning message but an actual payment request, please tell the university this is unsafe". But sending that kind of mass SMS is not easy, nor is finding the correct phone numbers.
Yeah, I thought of that after I wrote it. Send it to all the university accounts you can get your hand on, see who you catch. It's probably just personal preference showing through as well, as I wouldn't be comfortable paying with my phone. I also have no idea how people substitute their PC with an iPad or phone. Much harder to fill out a page of fields and navigate around, and I'm sure that Google Pay won't support $15,000 payments.
If your phone is your 2fa, someone uses this data to target you for a sim-swap to take over your phone, and then uses it to take over high value accounts.
What some spammers do in my country for example, is call old people and pretend their (grand/)children were involved in an accident and ask for money for quick interventions (the hospital is out of funds, bla bla). It's sometimes hit or miss cause the person might be next to them, or they just talked, or sometimes they can't figure out if you have a daughter or a son etc.
With a correlated leak like this, it's super easy for me to find your profile, see who you are, what you look like, even from just your profile picture I could potentially see you have a daughter yourself, so I can target your mother that something happened to her granddaughter and you, which would make her pay up even faster possibly.
It's not really new data, it's just scam SMS I've received in the past has never shown any sign of knowing anything other than my phone number. Now you can buy phone numbers and pull personalisation data unrestricted from your copy of Facebook's database for each of them. I'm sure sophisticated scammers already were, but now everyone will.