Hacker News new | ask | show | jobs
by andrewallbright 1294 days ago
So... what advise is there for technology comfortable people who want to mitigate the effects of data leaks like these? It seems like data provided is will be exposed eventually and company size doesn't seem correlate with data safety.

For example should people be advised to rotate phone numbers every N amount of time?
3 comments
kadoban 1294 days ago
The basic stuff helps a decent amount. Assume your name, phone, email, address are all public. Don't reuse passwords, ever (use a password manager), use 2fa wherever possible, ideally not the SMS kind. Use a password manager that has a tie-in with haveibeenpwned or whatever so you know asap to change your creds.

Some extras: use unique email addresses per site if you can. Some setups allow infinite aliases. Then you can blackhole one that gets leaked, and you can know where it got leaked from.

If you can, have a separate setup (completely separate email account(s), not just aliases, and even separate hardware to access them if you can) for very important accounts, the ones that would ~ruin your life for a good bit if they got taken over (bank, retirement, etc.)

There's also credit monitoring type stuff, which I've never been clear how useful it is, but might be worthwhile. You also may get it free if some company you use has a leak and they try to PR it away that way.

I think there's some way to basically lock your credit against new accounts, I need to look into that someday, don't know the details or if it even exists.

link
reaperducer 1294 days ago
Assume your name, phone, email, address are all public.

Someone on HN will invariably point out that this is how it was for the last hundred years, and it was only when we made computers powerful enough to abuse the information that this level of privacy became a concern.

I remember the days when your name, address, and phone number were public information. I paid something like $15/month to keep it out of the phone book.

What I recently learned, browsing through old books that a local library was throwing away, is that sometimes those phone book listings would also include things like a woman's maiden name, and the name of her husband, and/or marital status. Something like:

  Smith, Margaret C (nee Jones, widow of George): 202-555-1212
That part was new to me.
link
Kiro 1294 days ago
In Sweden almost everything about you is public information. Your address, social security number, tax records, criminal record etc.
link
kadoban 1294 days ago
To be honest, that's close to how it should be in an ideal world. But US companies went down the obviously-moronic path of treating social security numbers as passwords and now we're stuck.

Eventually the bulk of the world will probably end up with some sort of government-managed crypto-ID, but it's sure going to take the US a long time to get there.

link
BrandoElFollito 1294 days ago
Out of curiosity: does this lead to more identity theft (or misuse)?
link
LadyCailin 1294 days ago
I live in Norway, which has a similar system, so I can’t answer for op, but the answer here is, no. Your “social security number” is not ever used as a password or other form of presumably secret key. While you probably don’t go blabbing it everywhere, there’s not much you can do if you know mine. You would also have to physically steal my phone and also learn my secret pin, or break into my fire safe in order to successfully use my personal number for anything. Address and phone number are the same thing, that’s just where you mail things to, it’s not used as a secret key.
link
BrandoElFollito 1294 days ago
I live in France and while we do not have public records (or just a very few), we do not have identifiers that can be easily used to do something nefarious. Our social security number, or the tax one is not used anywhere as a secure identifier (as opposed to, say, US with their SS# that is tragically comical).

We do like secrecy, though, and opening up the tax reports and addresses would be a 12 on the Richter scale of earthquakes. I do not know whether that would be good or bad but it would lead to all sorts of social unrest.

link
MertsA 1294 days ago
No, instead they use this radical method called actually identifying the person they're about to give a bunch of cash to instead of trying to pretend a username is a password.
link
BrandoElFollito 1294 days ago
Sorry, I did not understand your comment (English is not my first language)
link
MattDemers 1294 days ago
>Some extras: use unique email addresses per site if you can. Some setups allow infinite aliases. Then you can blackhole one that gets leaked, and you can know where it got leaked from.

If you pay for ProtonMail, you get a SimpleLogin Premium for free, which makes the creation of dummy/alias emails a lot easier. They're owned by the same company.

link
screamingninja 1294 days ago
> If you pay for ProtonMail

These are free for all-

https://relay.firefox.com/

https://duckduckgo.com/email/

link
grammers 1294 days ago
I've been using alias addresses since forever, though with Tutanota, not Proton (due to cost & nice app). It's great when you can simply deactivate an address and the spam stops coming.
link
kadoban 1294 days ago
That sounds nice. I use bitwarden's "plus addressed email" generator I think it's called, the downside being that I need to specifically blackhole anything that bypasses the plus-addressing, or it'd be easy for anyone that actually looks to bypass.

There still is the chance that some spammer will figure out that "blah+any-random-string" works for my email, but I'll deal with that if someone bothers someday. I'd just need to add an allow-list or something probably.

link
MattDemers 1294 days ago
Yeah definitely; the "+" alias is built in to most emails (like, it works on Google/Proton at least). I'm more just saying that if you pay for ProtonMail (and therefore care about privacy more than the average person) you get another service for free that doesn't expose your "real" email if someone cared to look.

Someone can look at joe+spam@joeschmo.com and figure out Joe's "real" email address. Something like SimpleLogin (sorry, not a shill for them, I swear) gives you a completely new email/domain (and lets you set up your OWN domains), which then forwards to your proper inbox.

link
kadoban 1294 days ago
Yeah it's definitely a better pattern, I hope more companies create something like it. I think I heard Apple is doing something similar maybe? I seem to recall Fastmail has one too, pretty sure I saw it in the bitwarden settings last I went in there.
link
MattDemers 1294 days ago
Apple does this with email forwarding aliases on your phone; I can sign up using a generated Apple relay, which then pushes to your main email. I don't like it that much, mostly because you're still kind of locking into the Apple ecosystem, though.
link
idiocrat 1294 days ago
>Don't reuse passwords, ever

Note to myself: change the combination on my luggage.

https://www.youtube.com/watch?v=LcHnf7VQuhc

link
jsnell 1294 days ago
The advise is to do literally nothing about it. What effect do you think this specific leak has on you? What kind of adversary do you think will be able to benefit from this data, and how?

The reality is that the data is useless trash, and there is no indication that this has actually leaked from Facebook or is showing any kind of security problem in their systems.

link
A4ET8a8uTh0 1294 days ago
<<The reality is that the data is useless trash,

That remains to be seen. People are fairly ingenious when it comes to abusing information and information runs the world now. I will offer an unrelated example, partially because I do not want to give ideas on how to benefit from this. Do you remember when certain entrepreneurial billionaire offered a checkmark for sale, which resulted in people impersonating companies and manipulating their stock price[1]?

Like with most things, any tool is worth what one is able to do with it.

<< The advise is to do literally nothing about it.

I would not advise to panic, but doing nothing is not exactly great advice either. Some re-assessment of one's current security posture may be warranted.

[1]https://www.fiercepharma.com/marketing/eli-lilly-hit-new-twi...

link
jsnell 1294 days ago
> Like with most things, any tool is worth what one is able to do with it.

Yes, and given an attacker will not get new capabilities from this data, it is worth nothing.

Any attack that could be feasibly run with a list of nothing but phone numbers associated with some (unknown) WhatsApp account could be done without that list just as easily. That's because of two things: a) phone numbers within a given country are easy to enumerate, b) the WhatsApp account space is dense, i.e. the odds of any legit phone number being used for WhatsApp is high.

> I would not advise to panic, but doing nothing is not exactly great advice either. Some re-assessment of one's current security posture may be warranted.

If you can't formulate a realistic threat from this data, how can you possibly re-evalate your security posture in light of it? You need a threat model for that. Pondering about the security of one's digital life can of course be worthwhile in general, but advising anyone to do so in the context of this linkbait is just advising them to waste their time.

In your Twitter example, the impersonation did not come as a surprise. People were predicting that outcome within minutes of Musk announcing it. Can you make a prediction about what bad things will happen to the people whose phone number is in this dump, compared to people whose phone number isn't there?

link
A4ET8a8uTh0 1294 days ago
<< If you can't formulate a realistic threat from this data, how can you possibly re-evalate your security posture in light of it?

You do have a point and it is possible I misunderstood the 'value proposition' from this data set.

From the forum referenced in the article:

"Name / Whatsapp Number - Country Wise "

What I see in that post is name field ( or potentially just a number ) and country field. If I was a person buying it, the main benefit would be "being able to reach a seemingly random ( unless it is separately checked against some other available list/s ) individual in a desired geographic location". As you correctly assessed, by itself it is not a terrible security threat.

<< Can you make a prediction about what bad things will happen to the people whose phone number is in this dump, compared to people whose phone number isn't there?

Yes ( although admittedly, mostly because "bad things" is sufficiently generic to allow for it and I already admitted I think you are right on the security aspect ).

Fraud-wise this is a perfectly sufficient set of information ( current valid numbers likely corresponding with real phone numbers ) as those tend to be number games anyway ( one out of how many answers a spam email type of deal ). In that area, the most common scam lately is grandson scam[1] or romance scam[2]( those having extra benefit of less likely being reported even if others point it out to the victim ). Seniors do seem to use Whatsapp in the old country partially due to price and reliability ( dunno how common it is in US though ) so they fit that target demographic, but that assumes fraudster can reliably identify a victim set of seniors ( or burn existing set with a more generic pitch ). For non-seniors, crypto scams seemed very common lately ( and how many people just click yes, when an invitation pops up ) although recent crash likely made it less desirable.

In other words, I think you are right about not doing anything specific security-wise, but it may be worthwhile talking with your social circle if they use Whatsapp since they may now see an increase in unsolicited calls/messages/invites and benefit from a conversation about about safety online in general.

[1]https://www.aarp.org/money/scams-fraud/info-2019/grandparent... [2]https://www.fbi.gov/how-we-can-help-you/safety-resources/sca...

link
drdaeman 1294 days ago
People should be advised to not use phone numbers at all.

There was a joke "all phone numbers leaked" list that just listed everything from 000-000-0000 to 999-999-9999. If there is no other information associated (names, pictures, emails, anything) then this leak is of almost comparable severity.

link
philjohn 1292 days ago
We used to have these things called Phone Books, that literally, contained everyone's phone numbers.

We didn't call those leaks.

link
lawtalkinghuman 1292 days ago
There's an important difference between people being able to do inefficient paper-based one-off `SELECT ... LIMIT 1` queries when needed and the entire world being able to find new and exciting ways to search, join and mix data at great speed—the latter tends to enable new and exciting ways for the data to be used both for commercial gain, criminal purposes, and abusive trolling. (See: the history of internet harassment for the last 20 years.)

Pointing out that we used to put all the phone numbers in a book published by the phone company and now we don't is historically true but practically unimportant, just as "hey, sorry to hear your house got broken into, but you know, people in IDYLLIC_RURAL_HAMLET don't even lock their front doors like you BIG_CITY folks do" isn't useful unless giving up living and working in BIG_CITY and moving to IDYLLIC_RURAL_HAMLET is actually a practical option, which most likely it isn't (and if that were to happen en masse, IDYLLIC_RURAL_HAMLET would suddenly find they'd also need to lock their front doors if their population increased by a factor or two).

Who could have predicted that technological change might lead to shifts in social attitudes? Or, indeed, that the rules, principles and institutions we collectively create to make society bearable have to adapt to said changes?

link