Facebook actually wants your phone number, nagging you for one as soon as you join. This kind of isn’t all bad since the item can help secure your account with two-factor authentication. On the flipside, This kind of makes the item easy to reveal the private phone numbers of virtually anyone on Facebook, including celebrities as well as politicians. We’re going to look at how a hacker would certainly do This kind of as well as how to protect yourself.
Many Facebook users may not even realize which their private phone number will be connected to their Facebook account, having forgotten which they did so. Facebook isn’t allowed to simply extract your number coming from your phone, nevertheless they can do what I refer to as the “app equivalent of cyberbullying” by repeatedly asking you to confirm as well as save your number each time you launch Facebook.
The default privacy setting on Facebook allows anyone to search for you by your phone number once you add the item. This kind of will be not a fresh issue. the item has been around as long as the Facebook Graph search, nevertheless Facebook chooses to see This kind of issue as a feature, as a letter received by Belgian researcher Inti De Ceukelaire shows.
Certainly, some people, such as celebrities as well as politicians, should be more concerned than others about revealing their private number online. However, anyone could potentially have a cyberstalker or hacker target them. Once a hacker incorporates a phone number as well as your name, they can quickly use open-source intelligence (OSINT) tools which we’ve covered on Null Byte to grab further public data like occupation, employer, spouse, relationship, any some other public info.
A hacker could use the information to further social-engineering attacks by calling you directly. Think of the classic ” Microsoft tech support” scam, only the caller trying to trick you knows your name as well as intimate details of your personal life. Armed with these, the item’s easy to make the target think the caller will be legitimate.
How would certainly a hacker actually go about finding your number? In theory, if they had a lot of time, they could just search all 9,999,999,999 potential numbers until they stumbled upon yours. Clearly, This kind of isn’t very efficient, so let’s see the right way of doing the item. For a practice subject, I’ll be using DC Mayor Muriel Bowser (2017) as a random city official.
Step 1: Use the Area Code
If you think of a target’s phone number as one of all the possible 10-digit US phone numbers, you can quickly see which 10 billion North American phone numbers the item far too large a list to effectively search through. Luckily for the hacker, he can cut This kind of down thanks to the North American Numbering Plan (NANP) which lays out the guidelines for phone numbers within the US.
Let’s take an example: 234-235-5678. Looking at the NANP, we can see which the first three numbers (234) are the area code, as well as the plan allows for 2–9 as the first digit as well as 0-9 for the second as well as third digits. which information right there eliminates one billion possible numbers coming from the hacker’s list.
The hacker can also quickly take advantage of This kind of if they know or can take an educated guess at where you live, as the item’s as easy a Google search. By doing This kind of, the hacker can remove a further 9 billion 990 million numbers coming from the list of potential guesses.
The next three numbers after the area code in our example (235) are the central office prefix. Again, the plan calls for 2–9 for the first digit as well as 0–9 for both the second as well as third digits, nevertheless having a caveat.
In area codes where the second digit will be 1, the third can’t also be 1. This kind of yet again removes a large number of phone numbers coming from the hacker’s list. The last four digits of the phone number will be the line number, in This kind of case, 5678.
I took the educated guess which the Mayor of DC would certainly have a DC area code, as well as a hacker could also look up the target’s Facebook account as well as likely find a hometown or the current city the target lives in or works coming from. Some larger cities like Los Angeles will have multiple area codes within them, nevertheless no matter how many “split” area codes there are, the item still greatly reduces the hacker’s list of possible numbers.
Step 2: Get the Last Numbers
currently which I know my target’s number will be 202-???-????, I want to try as well as remove as many of those question marks as possible, creating the item easier to do a Facebook search later on. Thankfully, Facebook has our back as well as has made This kind of probably the second easiest step, after using the area code. In order to get the last two numbers, we just have to go a few steps into the password reset process.
To do This kind of, the hacker goes to the main Facebook page as well as clicks “Forgot account” to start the process.
Next, they enter the target’s name they have in mind as well as click the “Search” button.
The hacker will be then presented having a list which includes a face picture paired with each matching account which helps them quickly identify their target. There’s our target right at the top!
Facebook then kindly provides the hacker the last two digits of the targets number, along with some information about the emails accounts associated with their Facebook account, such as the first as well as last letter, as well as sometimes the email domain.
which’s as far as the hacker has to go. They don’t actually reset the password, as well as they shouldn’t to ensure the target never receives any kind of notification to tip them off.
With over 218 million users, PayPal as well as some other services can help add to the information the attacker has collected so far. In This kind of case, if the target will be a PayPal user, the hacker can get two additional digits of the phone number we’re looking for.
within the picture above, you may have noticed which the first email listed will be a Gmail account which starts with “M” as well as ends with “R.”
which’s funny, since my targets first name starts with an “M,” as well as her last name ends with an “R.” To a hacker, This kind of screams “I used my name as my email!” Suspecting This kind of was the case, I checked the item on Gmail by typing the item in.
Google accepted the item, nevertheless which doesn’t necessarily mean which the item’s the target’s email. The hacker can check by doing the same password reset trick they pulled with Facebook.
Yep, This kind of account just so happens to have a number which ends in 69. Coincidence? I think not. currently which I have an email to work with, I can jump over to PayPal in a fresh tab, as well as Just as before, use the same password reset trick.
This kind of time, when I get to the password reset screen, I get not only all four digits of the line number, nevertheless also the first number of the area code too!
This kind of allows me to be reasonably sure which I’m on the right track with the area code, as well as verifies my previous work on finding the last few numbers. This kind of means I hold the number 202-???-6969 so far. In some other words, my list has gone coming from 10 billion choices to about a thousand in just a few minutes of work.
At This kind of point, a hacker could just start throwing numbers into the Facebook search bar, nevertheless which still wouldn’t be which efficient. So what does a lazy hacker do? They take advantage of a Facebook feature which allows you to conduct a bracket search.
Facebook allows you to upload lists of contacts in CSV format, as well as then tells you if they are on Facebook so you can add them as friends. By constructing my own contact list of potential numbers, I can quickly rule out large chunks of wrong numbers.
In This kind of case, I know the number has to be within the range coming from 202-000-6969 to 202-999-6969. By cutting which in half as well as creating a list of numbers coming from 202-000-6969 to 202-500-6969, I can effectively rule out half of my list, as the target will only be in one of the two half lists created. Then, I can upload the list as well as instantly determine if they are on the item or not.
To create This kind of list, I went to Google Contacts as well as clicked “Export” to get a sample CSV file to work coming from.
Facebook prefers to accept the list in Google CSV format, so I saved the item as such coming from Google Contacts.
coming from there, a hacker can open the file in Google Sheets or Excel as well as change the column formula for the phone numbers to one which will iterate over the numbers they need to check, as seen within the following example.
within the excel formula below, I start by taking the lowest value phone number, in This kind of case, 2020006969, then I add 10,000 to the item in order to raise the fifth place digit by 1. This kind of formula will repeat as many times as needed, nevertheless we shouldn’t do the item more than 1,000 times because there are only a thousand numbers in our list to guess. If the target hadn’t had a PayPal account to help us derive the third as well as fourth place digit, then we would certainly be adding 100 to raise the third digit instead.
coming from there, the item will be simple to sign into a Facebook account as well as go to the Friend Finder feature. Click on the Gmail logo as well as then “Find Friends.”
Next, scroll to the bottom of the page as well as upload your CSV file containing the phone numbers you wish to try.
After the item’s uploaded, Facebook presents the hacker a list of “Friends” to add coming from the list. They would certainly then search for their target inside which list. My target doesn’t seem to be here, so I know they aren’t in This kind of half of our batch of numbers.
Next, instead of testing the next 500, I split the next 500 in half as well as check one of those halves. This kind of will be because I already know the target will be on the second list since they weren’t within the first half. The hacker can continue searching in This kind of way until the target appears on a phone number list.
coming from there on out, the hacker would certainly test smaller as well as smaller batches of numbers until they have only a handful to test. I stopped when I had the item down to about 30 numbers. Obviously, This kind of will take longer if the hacker has less information about the some other digits of the phone number to begin with, as they will have a larger number set to search. Facebook will rate-limit the hacker to a few attempts per day nevertheless they can get around This kind of by signing into another account.
Step 5: Test the Last Few Numbers
Once which hacker has the item down to a handful of numbers, they can go to the Facebook search bar as well as type them in one by one. To do so, just type the number into the search bar with no hyphens. If the requests are going too fast, or if they search for too many, Facebook starts to rate-limit them having a CAPTCHA.
However, which’s not much of a defense when the hacker only has 30 numbers to check.
In total, the item took me around 30 minutes to an hour to find the target’s number, as well as these same steps could be used on anyone who has their phone connected to Facebook.
The simplest way to protect yourself will be to never connect your phone to Facebook. If you still want to use two-factor authentication, Facebook allows you to use a USB U2F device without having to rely on your phone.
If you absolutely must have your phone connected, navigate to Facebook Settings, select “Privacy,” then “Who can look you up using the phone number you provided?” Set This kind of option to “Friends.” Unfortunately, Facebook doesn’t let you set This kind of to “Only me.”
On a mobile device, you would certainly tap on the three-line menu icon, select “Account Settings” (iOS users will have to select “Settings” first), then tap on “Privacy.” You’ll see the same “Who can look you up” question above where you can change your preferences to “Friends” only.
While This kind of still will not provide absolute protection, the item will make the hacker’s life much more difficult.
Thanks for reading! If you have any questions, you can leave a comment here or message me on Twitter @The_Hoid.