A huge database of Facebook users’ phone numbers found online – gpgmail


Hundreds of millions of phone numbers linked to Facebook accounts have been found online.

The exposed server contained over 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.

But because the server wasn’t protected with a password, anyone could find and access the database.

Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username.

But phone numbers have not been public in more than a year since Facebook restricted access to users’ phone numbers.

gpgmail verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID. We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account.

Some of the records also had the user’s name, gender, and location by country.

A redacted set of records from the U.K. database. The “44” indicates +44, the U.K.’s country code and the “7” indicates a cell phone number.

This is the latest security lapse involving Facebook data after a string of incidents since the Cambridge Analytica scandal, which saw more than 80 million profiles scraped to help identify swing voters in the 2016 U.S. presidential election.

Since then the company has seen several high-profile scraping incidents, including at Instagram, which recently admitted to having profile data scraped in bulk.

This latest incident exposed millions of users’ phone numbers just from their Facebook IDs, putting them at risk of spam calls and SIM-swapping attacks, which relies on tricking cell carriers into giving a person’s phone number to an attacker. With someone else’s phone number, an attacker can force-reset the password on any internet account associated with that number.

Security researcher Sanyam Jain found the database and contacted gpgmail after he was unable to find the owner. After a review of the data, neither could we. But after we contacted the web host, the database was pulled offline.

Jain said he found profiles with phone numbers associated with several celebrities.

Facebook spokesperson Jay Nancarrow said the data had been scraped before Facebook cut off access to user phone numbers.

“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”

But questions remain as to exactly who scraped the data, when it was scraped from Facebook, and why.

Facebook has long restricted developers access to user phone numbers. The company also made it more difficult to search for friends’ phone numbers. But the data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new.

This latest data exposure is the most recent example of data stored online and publicly without a password. Although often tied to human error rather than a malicious breach, data exposures nevertheless represent an emerging security problem.

In recent months, financial giant First American left data exposed, as did MoviePass and the Senate Democrats.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Web host Hostinger says data breach may affect 14 million customers – gpgmail


Hostinger said it has reset user passwords as a “precautionary measure” after it detected unauthorized access to a database containing information on millions of its customers.

The breach is said to have happened on Thursday. The company said in a blog post it received an alert that one of its servers was improperly accessed. Using an access token found on the server, which can give access to systems without needing a username or a password, the hacker gained further access to the company’s systems, including an API database containing customer usernames, email addresses, and scrambled passwords.

Hostinger said the API database stored about 14 million customers records. The company has more than 29 million customers on its books.

“We have restricted the vulnerable system, and such access is no longer available,” said Daugirdas Jankus, Hostinger’s chief marketing officer.

“We are in contact with the respective authorities,” said Jankus.

An email from Hostinger explaining the data breach. (Image: supplied)

News of the breach broke overnight. According to the company’s status page, affected customers have already received an email to reset their passwords.

The company said that financial data wasn’t taken in the breach, nor was customer website files or data affected.

But one customer who was affected by the breach accused the company of being potentially “misleading” about the scope of the breach.

A chat log seen by gpgmail shows a customer support representative telling the customer it was “correct” that customers’ financial data can be retrieved by the API but that the company does “not store any payment data.” Hostinger uses multiple payment processors, the representative told the customer, but did not name them.

“They say they do not store payment details locally, but they have an API that can pull this information from the payment processor and the attacker had access to it,” the customer told gpgmail.

We’ve reached out to Hostinger for more, but a spokesperson didn’t immediately comment when reached by gpgmail.

Related stories:


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

MoviePass exposed thousands of unencrypted customer card numbers – gpgmail


Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company’s many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real-time. Many of the records were normal computer-generated logging messages used to ensure the running of the service — but many also included sensitive user information, such as MoviePass customer card numbers.

These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.

We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance, when it was activated.

The database had more than 58,000 records containing card data — and was growing by the minute.

We also found records containing customers’ personal credit card numbers and their expiry date — which included billing information, including names, and postal addresses. Among the records we reviewed, we found records with enough information to make fraudulent card purchases.

Some records, however, contained card numbers that had been masked except for the last four digits.

The database also contained email address and some password data related to failed login attempts. We found hundreds of records containing the user’s email address and presumably incorrectly typed password — which was logged — in the database. We verified this by attempting log into the app with an email address and password that didn’t exist but only we knew. Our dummy email address and password appeared in the database almost immediately.

None of the records in the database were encrypted.

Hussain contacted MoviePass chief executive Mitch Lowe by email — which gpgmail has seen — over the weekend but did not hear back. It was only after gpgmail reached out Tuesday when MoviePass took the database offline.

It’s understood that the database may have been exposed for months, according to data collected by cyberthreat intelligence firm RiskIQ, which first detected the system in late June.

We asked MoviePass several questions — including why the initial email disclosing the security lapse was ignored, for how long the server was exposed, and its plans to disclose the incident to customers and state regulators. When reached, a spokesperson did not comment by our deadline.

MoviePass has been on a rollercoaster since it hit mainstream audiences last year. The company quickly grew its customer base from 1.5 million to 2 million customers in less than a month. But MoviePass took a tumble after critics said it grew too fast, forcing the company to cease operating briefly after the company briefly ran out of money. The company later said it was profitable, but then suspended service, supposedly to work on its mobile app. It now says it has “restored [service] to a substantial number of our current subscribers.”

Leaked internal data from April said its customer numbers went from three million subscribers to about 225,000. And just this month MoviePass reportedly changed user passwords to hobble access for customers who use the service extensively.

Hussain said the company was negligent in leaving data unencrypted in an exposed, accessible database.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussain told gpgmail. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the dataset was exposed for public access by anyone,” he said.

The security researcher said he found the exposed database using his company-built web mapping tools, which peeks into non-password protected databases that are connected to the internet, and identifies the owner. The information is privately disclosed to companies, often in exchange for a bug bounty.

Hussain has a history of finding exposed databases. In recent months he found one of Samsung’s development labs exposed on the internet. He also found an exposed backend database belonging to Blind, an anonymity-driven workplace social network, exposing private user data.

Read more:


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Yubico launches its dual USB-C and Lightning two-factor security key – gpgmail


Almost two months after it was first announced, Yubico has launched the YubiKey 5Ci, a security key with dual support for both iPhones, Macs and other USB-C compatible devices.

Yubico’s latest Yubikey is the latest iteration of its security key built to support a newer range of devices, including Apple’s iPhone, iPad, and MacBooks in a single device. Announced in June, the company said the security keys would cater for cross-platform users — particularly Apple device owners.

These security keys may be small enough to sit on a keyring, but they contain the keys to your online line. Your Gmail, Twitter, and Facebook account all support these plug-in devices as a second-factor of authentication after your username and password — a far stronger mechanism than the simple code sent to your phone.

Security keys offer almost unbeatable security and can protect against a variety of threats, including nation-state attackers.

Jerrod Chong, Yubico’s chief solutions officer, said the new key would fill a “critical gap in the mobile authentication ecosystem,” particularly given how users are increasingly spending their time across a multitude of mobile devices.

The new key works with a range of apps, including password managers like 1Password and LastPass, and web browsers like Brave, which support security key authentication.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

StockX was hacked, exposing millions of customers’ data – gpgmail


It wasn’t “system updates” as it claimed. StockX was mopping up after a data breach, gpgmail can confirm.

The fashion and sneaker trading platform pushed out a password reset email to its users on Thursday citing “system updates,” but left users confused and scrambling for answers. StockX told users that the email was legitimate and not a phishing email as some had suspected, but did not say what caused the alleged system update or why there was no prior warning.

A spokesperson eventually told gpgmail that the company was “alerted to suspicious activity” on its site but declined to comment further.

But that wasn’t the whole truth.

An unnamed data breached seller contacted gpgmail claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data.

In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.

The seller provided gpgmail a sample of 1,000 records. We contacted customers and provided them information only they would know from their stolen records, such as their real name and username combination and shoe size. Every person who responded confirmed their data as accurate.

The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency. The data also included the user’s device type, such as Android or iPhone, and the software version. Several other internal flags were found in each record, such as whether or not the user was banned or if European users had accepted the company’s GDPR message.

Under those GDPR rules, a company can be fined up to four percent of its global annual revenue for violations.

When reached prior to publication, neither spokesperson Katy Cockrel nor StockX founder Josh Luber responded to a request for comment. A voicemail left on the spokesperson’s cell was not returned.

Jake Williams, founder of Rendition Infosec, said the company “robbed their users of the chance to evaluate their exposure” by not informing customers of the breach when it happened.

StockX was last month valued at over $1 billion after a $110 million fundraise.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Clothing marketplace Poshmark confirms data breach – gpgmail


Poshmark, an online marketplace for buying and selling clothes, has reported a data breach.

The company said in a brief blog post that user profile information, including names and usernames, gender and city data was taken by an “unauthorized third party.” Email addresses, size preferences, and scrambled passwords were also taken.

Poshmark did not say which hashing algorithm, used to scramble the passwords, was used. Some algorithms are stronger than others.

The company also said “internal” preferences, such as email and push notifications, were taken.

Poshmark said it retained an outside security firm but did not say which company. It also said it has rolled out “enhanced security measures” without elaborating. We’ve contacted Poshmark for answers, but did not immediately hear back.

Financial data and physical address information was not compromise, the company said

Poshmark has upwards of 50 million users.

Read more:


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

StockX admits ‘suspicious activity’ led to resetting passwords without warning – gpgmail


StockX, a popular site for buying and selling sneakers and other apparel, has admitted it reset customer passwords after it was “alerted to suspicious activity” on its site, despite telling users it was a result of “system updates.”

“We recently completed system updates on the StockX platform,” said the email to customers sent to gpgmail on Thursday. The email provided a link to a password reset page but said nothing more.

The company was only last month valued at over $1 billion after a $110 million fundraise.

Companies reset passwords all the time for various reasons. Some security teams obtain lists of previously breached passwords that make their way online, scramble them in the same format that the company stores passwords, and find matches. By triggering the reset, it prevents passwords stolen from other sites from being used against one of a company’s own customers. In less than desirable circumstances, passwords are reset following a data breach.

But the company admitted it was not “system updates” as it had told its customers.

“StockX was recently alerted to suspicious activity potentially involving our platform,” said StockX spokesperson Katy Cockrel. “Out of an abundance of caution, we implemented a security update and proactively asked our community to update their account passwords.”

“We are continuing to investigate,” said the spokesperson.

The password reset email sent by StockX on Thursday. (Image: supplied)

We asked several follow-up questions — including who alerted StockX to the suspicious activity, if any customer data was compromised, and why it misrepresented the reason for the password reset. We’ll have more when we know it.

Throughout the day customers were tweeting screenshots of the email, worried that their accounts had been compromised. Others questioned whether the email was genuine or if it was part of a phishing attack.

“Did they get hacked, find out somehow, and then to cover it up send out that email and ask for a password change?” one of the affected customers told gpgmail.

Customers were given no prior warning of the password reset.

StockX founder Josh Luber kept with the company’s line, telling a customer in a tweet that the password reset was “legit” but did not respond to users asking why.

StockX tweeted back to several customers with a boilerplate response: “The password reset email you received is legitimate and came from our team,” and to contact the support email with any questions. We did just that — from our gpgmail email address — and heard nothing back hours later.

Security experts expressed doubt that a company would reset passwords over a “systems update” as StockX had claimed.

Security researcher John Wethington said it is “rare” to see security overhauls that require password resets. “You wouldn’t just send out a random email about it,” he said. Jake Williams, founder of Rendition Infosec, said it was “bad communication” in any case.

Several took to Twitter to criticize StockX for its handling of the password reset.

One customer called the email “fishy,” another called it “suspicious,” and another called on the company to explain why they had to reset passwords in this unorthodox way. Another said in a tweet that he asked StockX twice but “refused to provide an answer.”

“Guess I’m closing my account,” he said.

Read more:
Slack resets user passwords after 2015 data breach
Capital One breach also hit other major companies, say researchers
An exposed password let a hacker access internal Comodo files
Security lapse exposed weak points on Honda’s internal network
Cryptocurrency loan site YouHodler exposed unencrypted user credit cards and transactions




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something