A huge collection of names and phone numbers dropped on hacker forums and passed to researchers over the past week may not be as open to abuse as passwords or credit card details, but criminals will still seek to use it for monetary gain.
The trove of personal data comes from Facebook and appears to have been scraped from the site before being sold around and eventually dumped. It includes more than half a billion phone numbers, matched to names, and a few million email addresses.
In the time since the data appeared publicly, security researchers have been able to sift through and index it to assess the risk of it being used for harm, while criminals have no doubt been doing the same. On Tuesday, the data was loaded into Have I Been Pwned, an online service that can individuals if their data is available to crooks.
To check, people can simply type in their email address and hit enter. They can now also search for their phone number on the service by typing it in using an international format (for Australian mobiles that means putting 61 at the start, instead of 0) and hitting enter.
Independent security researcher Troy Hunt, who created and maintains Have I Been Pwned, said Facebook’s leak was significant, but the overall danger was moderate.
Fears that phone numbers could be used for SIM swapping — where criminals intercept text messages to force their way into bank accounts and other services — were overblown. The bad guys simply have a database akin to a phone book.
“We used to have data breaches [like this] every single year. They’d arrive on your doorstep and would be many, many pages of phone number and name associations,” Mr Hunt said.
“If we look at the volume of the data here, the risk is more about the things that can be done en masse than anything that is very targeted [like SIM swapping].”