> This time can also be significantly reduced through phone number hints from password reset flows in other services such as PayPal, which provide several more digits (ex. +14•••••1779)
I've never thought about this but it's extra scary. If you have the same phone number and email address with enough services and they all mask in a different order for reset hints...
If it makes you feel better (it probably won't) hundreds/thousands of services have collected your phone number over the years (for 2FA or any other reason), with or without consent, and a large chunk of them have had data breaches. So your name-email-phone number combo is 100% already available in public data dumps.
Yeah, you could get an unlisted number but you were charged for it and almost no one did because it was also how people you wanted to get in touch with you found you a lot of the time. Not that data breaches aren't bad but a lot of the breached info has been pretty routinely available for a very long time. (And, as you say, cell phone numbers are probably less routinely available than landlines were.)
I don't go out of my way to publish my cell or address but a lot of people have them.
My old man was a doctor and the local phone company at the time (GTE) automatically made our home number unlisted. Presumably this was done for other “critical” professions who might receive many home calls that should be directed at their place of work.
Being unlisted was sometimes devastating to a 1980s kid’s social life… I missed out on multiple birthday parties and other invitations. My sisters probably lost out on some dating opportunities.
people always trot this out, but it was very possible to have your information unlisted so it was not printed in the book. you could also use a different name. an old coworker selected to have his name listed as David King so that when found in the book it would show up as King David.
having an unlisted number wasn't uncommon. for privacy minded people, it was a simple phone call to make it unlisted, and most just did it at time of getting the number.
nonetheless, pre-opting, your information was there, so anyone with a phonebook from before you made that decision would have your information. if an organisation had an interest in invading people's privacy it would not be complex to simply keep a copy of every edition of the phonebook
so what you could opt-out? your info was/is still in any phonebook from before you opted out. any well-prepared organisation, which these modern data-collection firms are, would have no problem whatsoever keeping every edition of the phonebook for this purpose.
yeah the discrepancy is that its harder now. phonebooks were essentially free and had people's addresses in them
There are now Telegram bots to find such information. The fact that this bruteforce was revealed probably annoyed many users (like the infamous "EoG" bot).
There were a few stories in the past about people social engineering their way past support by asking one companies support for the last 4 of a card and then using that last 4 for a different company.
> Those security lapses are my fault, and I deeply, deeply regret them.
> But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information – a partial credit card number – that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
There's services that do this automatically for a price, and they've been around for a while, for e-mail, phone numbers, and much more. Any bits (literally, bits) of information given without authorization (or plausible belief it's the intended user on the other side) will be efficiently put together from a variety of sources, as there's no shortage of incentive, and many all over the world prodding services used by billions of people worldwide. And then eventually leaked..
There used to be deep web services that provided a lot of this stuff for free back in the early 2000s or so. I think everything like that is behind at least some level of paywall now but it's not hard to get a fairly complete dossier on someone given a bit of background information and a pretty small expenditure.
Get personal info, then call carrier for a SIM swap, access crypto from there. Bonus: no KYC, since it's the other person's identity + you can login from 4G internet, so a trusted IP range.
I haven't been able to get into my main Google account for years because they enabled 2FA without warning and it had a phone number I no longer have. I have the username and password and I get all the emails because I also have the recovery email address. I just need to get the recovery code by SMS.
I've never thought about this but it's extra scary. If you have the same phone number and email address with enough services and they all mask in a different order for reset hints...