|
|
|
|
|
|
by Nextgrid
1565 days ago
|
|
|
Depends, for DOB and phone numbers the search space is finite and very small for a modern computer (especially so for a big tech adversary having access to near-infinite computing power) so you can just enumerate all the possibilities. Names and emails can be bruteforced with various lists from existing data breaches or data brokers and you'll probably reverse 80% of them. However reversing them is not even necessary - an adversary like Facebook can infer it based on other data, for example, let's say they know your phone number but not your email - now you buy/sign up to vendors providing both that phone number and email and they provide it to Facebook - now Facebook knows that you signed up to those vendors with your number (as they have the plain text value, can hash it on their side and compare), but they also see that there's a mysterious email hash - they don't know its plaintext value, but it perfectly matches the same vendors that have your phone number. They can infer that it's probably your email address, and while they still don't know what it is, they can use the hashed value to track you across other vendors without ever having to know the plaintext value. |
|
|