Boing Boing: Google bug let strangers find your phone number with just your Gmail address. “A new vulnerability discovered by security researcher, brutecat, allowed attackers to bruteforce the phone numbers of Google users with minimal effort. This newly disclosed vulnerability, reported on June 9, 2025, exposed a flaw in Google’s account recovery system.”

https://rbfirehose.com/2025/06/15/boing-boing-google-bug-let-strangers-find-your-phone-number-with-just-your-gmail-address/

@arianvp and this is why you don't use #PushNotifications and espechally not @signalapp which can, has and will snitch on users!

• Compare that to @monocles / #monoclesChat which even as a provider has 0 #PII like #PhoneNumbers and people can use their #Software without being shackled to their servives and even if people do there is no way for them to extract tue private keys in #XMPP+#OMEMO and #PGP/MIME *unless one explicitly allows them!

@Okesska short answer: You can't and any options are mere asks as in Ttrust me m8! We'll totally delete that data…"

Long answer: Consider your privacy irreversibly compromised along the used #PhoneNumbers! Get a completely new identity setup…

Dan Q: Google Shared My Phone Number!. “A Google search that surfaced Three Rings CIC’s ‘Google Business Profile’ now featured… my personal mobile number. And a convenient ‘Call’ button that connects you directly to it. Some years ago, I provided my phone number to Google as part of an identity verification process, but didn’t consent to it being shared publicly. And, indeed, they […]

https://rbfirehose.com/2025/05/27/dan-q-google-shared-my-phone-number/

@Arios The Problem is #Windows.

Don't expect the "#DRMflag" to work when it's being used by @signalapp (which in and of itself is problematic for demanding #PII like #PhoneNumbers and shilling a #Shitcoin-#Scam named #MobileCoin!) because like the #API to signal to Windows "I'm an #Antivirus product, disable defender!" this will be abused.

• Also working around #MicrosoftRecall and #Microsoft's unwillingness to accept (denial of) #consent is just bad and we should stop normalizing the use of said #Govware alltogether, as eben #pirating it normalizes it's use.

If you are actually concerned re: #privacy you'd yert signal, educate others and use #XMPP+#OMEMO (i.e. @monocles / #monoclesChat & @gajim ) or #PGP/MIME (i.e. @delta / #deltaChat & @thunderbird ) over @torproject / #Tor instead.

• It does take a bit of setup, but in return you get extreme gains in #privacy beyond what any #VPN provider can offer - legally and technically!

Not to mention #Signal falls under #CloudAct, so your privacy there is already nonexistant!

• Otherwise @Mer__edith would've been in jail for the rest of her life already due to the statistic inevitability of it's abuse!

@debby @monocles @Stuxhost well, @delta / #deltaChat is not using #XMPP+#OMEMO (unlike #monoclesChat & #gajim) but #PGP/MIME on regular #eMail, which makes it way easier to setup in organizations as not "yet another server needed" and also easier to comply with mandatory #archival laws in #business use-cases.

• #Session & #Signal, like #Telegram & #WhatsApp, do not have their #backend #opensource|d nor allow #SelfHosting and demand #PII like #PhoneNumbers for registration if not useage for no valid reason. Plus they are not just able but obviously willing to snitch on their users (something neither DeltaChat nor monocles chat demand or even can as both do 100% #SelfCustody of all the keys!)

• As for #sustainability, monocles is financed by #subscribers (they charge like €2 p.m. for mail & chat) and they can be paid completely anonymously (#Monero & #CashByMail!), whereas #Signal is a #MoneyBurningParty which engages in #Shitcoin-#Scams (see #MobileCoin!) for no valid reason…

@dave_andersen @AVincentInSpace personally I consider any "#KYC" a risk-factor, and @signalapp has proven their ability and willingness to restrict functionality (i.e. their #Shitcoin-#Scam #MobileCoin) based off said #PhoneNumbers (Cuban, Russian and North Korean Numbers were excluded) which are in fact #PII (even if one doesn't have to #ID for obtaining a #SIM, they are circumstantial PII)...

• They have neither "legitimate interest" nor legal mandate to collect said data (or to integrate a scammy Shitcoin for that matter) as the discontinuation of #ChatSecure / #TextSecure has eliminated the "technical necessity" to have those.

Either way they either have to yeet #Hegseth as client and/or stop collecting PII like PhoneNumbers - they gotta have to do something…

• As for #InfoSec, #OpSec & #ComSec, I'd say #XMPP+#OMEMO remains the gold standard alongside #PGP/MIME...

#ITsec is a different story, but unlike #Signal these do not depend on a #PhoneNumber and work through @torproject / #Tor.

• And I've been using Tor for almost 15 years daily now...

@adisonverlice personally, I think @signalapp should not have integrated any #wallet or #cryptocurrency at all and instead not eben request #PhoneNumbers (which are #PII) and move tueir system onto #Tor and have their endpoints as #OnionServce, because being a #PaymentProcessor (and lets be honest #MobileCoin got pitched for #payments) is at best a "legal nightmare" if not a straight-up "You go to Jail!"-card as a matter f principle!

Anyone who wants to coordinate #payments and #finance can do so with external wallets like #FeatherWallet anyway.

@dave_andersen even @signalapp has to comply with #CloudAct.

• And we can be very shure they did simply because it's a statistical inevitability by the sheer amount of users they have…

Only real #E2EE (= #SelfHosting-capable with #SelfCustody of all the keys) can be considered safe.

• Demanding #PII like #PhoneNumbers is #KYC, and KYC is the illicit activity!

@bogdan anything that mandates #2FA and doesn't provide #TOTP or #HOTP support as per #RFC but demand something like #PhoneNumbers that are #PII should be outlawed.

• I can accept #PGP-based 2FA as a compromise...

@signalapp no it's not.

• Otherwise #OrganizedCrime would choose #Signal so hard, you'd be shutdown within weeks by the #FBI and @Mer__edith would be forced to "pull a #LavaBit" and face jailtime for obstruction of justice or snitch on users!

Being a #centralized, #SingleVendor & #SingleProvider solution subject to #CloudAct makes you inherently vulnerable by your own choice and thus trivial to shutdown compared to real #E2EE with #SelfCustody of all the keys and true #decentralization as well as #SelfHosting (i.e. #PGP/MIME [see @delta / #deltaChat et. al.] and #XMPP+#OMEMO [see @monocles / #monoclesChat et. al.]!)

• Plus neither of those shill #Shitcoin-#Scams like #MobileCoin!

And don't even get me started on you collecting #PII (espechally #PhoneNumbers) for no valid reason, (thus violating #GDPR & #BDSG)...

• Not to mention relying ob #charity and being a #VCmoneyBurningParty isn't sustainable to begin with!

But yeah, I'll be patient to shout "#ToldYaSo" to your annoying cult of fanboys!

@Andromxda @mollyim no it's not bs and fanboying @signalapp isn't going to change that.

If #Signal was secure it would be the #1 comms tool of organized crime...

• Yet I've only seen #TechIlliterates shill it.

Real professionals use #SelfHosting capable, fully #FLOSS'd solutions like #PGP/MIME & #XMPP+#OMEMO.

• Again: Demanding #PII like #PhoneNumbers and shilling a #Shitcoin-#Scam (#MobileCoin) makes Signal literally untrustworthy and if it doesn't for you then maybe your standards are just too low...

It's just me reading the room: Cuz #ComSec isn't done woth "JuSt UsE sIgNaL!" and everyone who claims so without pointing out #OpSec, #InfoSec & #ITsec is BSing hard.

• The cold hard truth is that #TechLiteracy is irreplaceable and the only solution to it is to actually teach normies how to "get gud" with stuff like PGP.

Fortunatelty, @thunderbird and @tails_live / @tails / #Tails and many other tools make that easier than ever before.

• So rather than vomiting insults against my intellect in my mentions, go to the next @cryptoparty@mastodon.earth / #Cryptoparty / @cryptoparty@chaos.social and lend a hand.

@pixelcode @taylan @signalapp the #centralization, espechally without means to hide it's traffic via @torproject / #Tor makes it trivial to detect and track @signalapp / #Signal users.

• Add to that the fact that Signal has #PhoneNumbers = #PII on them and the fact they are incorporated in the #USA, thus subject to #CloudAct and it's not a matter if they snitch on users but how many thousands if not millions got subopena'd to this day.

And with no self-custody of keys it's trivial to #Room641A the users if the devs get "motivated" under threat of spending the rest of theor lives in jail.

@taylan @pixelcode also add tocthe fact that @signalapp collects and stores #PII like #PhoneNumbers...

@signalapp It's not #disinfo when one points out that you demand #PII aka. #PhoneNumbers from Users and that is literally a architectural vulnerability, alongside your #proprietary & #Centralized #Infrastructure.

• #Signal being a #SingleVendor & #SingleProvider #Solution is literally the reason why I consider it #insecure.

Not to mention the lack of @torproject / #Tor support with an #OnionService or the willingness to fulfill #cyberfacist "Embargoes" or shilling a #Shitcoin #Scam named #MobileCoin!

• #KYC is the illicit activity!!!

And don't get me started on the #cyberfacism that is #CloudAct.

• If you were secure, criminals would've used your platform so hard, it would've been shutdown like #EncroChat and #SkyECC.

I may nit have allvthe.evidence yet, but #Signal stenches like #ANØM: #Honeypot-esque!

@jrredho @walkinglampshade @fj

Don't 'splain me, m8!

Their figleaf exuses are not legitimate and @signalapp's @Mer__edith knows that...

• After all, @monocles doesn't require any #PII at all and they are in fact sustainable as in not requiring #donations, since they are user-financed (subscription)...

Read criticisms before commenting...
https://www.youtube.com/watch?v=tJoO2uWrX1M

• #KYC (of any kind, including #PhoneNumbers) IS THE ILLICIT ACTIVITY!*

@fj I still think @signalapp has fundamental flaws like demanding #PII (#PhoneNumbers can't be obtained anonymously around the globe and are trivial to track down to devices and thus users), being subject to #CloudAct as an unnecessary & 100% avoidable risk as well as #Shitcoin-#Scam shilling (#MobileCoin) and it's #proprietary, #SingleVendor & #SingleProvider nature that makes it inferior to real #E2EE with #SelfCustody like #PGP/MIME & #XMPP+#OMEMO!

@licho @osman provide evidence the code @signalapp released is actually being deployed.

• Whereas @monocles has #ReproducibleBuilds to the point that @fdroidorg literally pulls their git and builds it from source.

Not to mention pushing a #Shitcoin-#Scam (#MobileCoin) disqualifies #Signal per very design!
https://www.youtube.com/watch?v=tJoO2uWrX1M

• Given the collection of #PII like #PhoneNumbers, the ability to restrict functionality based off those and the fact that #Signal is subject to #CloudAct make it inherently not trustworthy.

And don't even get me started on the fact.it's not sustainable to run it as a #VCmoneyBurningParty!

• As soon as Signal becomes a problem, it will be taken offline, and due to the fact that it is #centralized, #proprietary, #SingleVendor & #SingleProvider that's trivial for authorities.

Same as identifying users: They already got a #PhoneNumber which in many juristictions one can't even obtain without #ID legally, thus making it super easy to i.e. find and locate a user. Even tze cheapest LEAs can force their local M(V)NOs to #SS7 a specific number...

• All these are unnecessary risks, that could've been avoided, but explicitly don't even get remediated retroactively!

Again: Signal has a #Honeypot stench, and you better learn proper #E2EE, #SelfCustody and #TechLiteracy because corporations can't pull the 5th [Amendment] on your behalf!

@osman, no because @signalapp is a #proprietary, #centealized, #SingleVendor & #SingleProvider solution that demands #PII like #PhoneNumbers for no valid reason, is subject to #CloudAct and only continues to exist because it's convenient as a means to fo #BulkSurveillance and mark it's users as #PeopleOfInterest.

• I'd rather donate to @ccc for running http://jabber.ccc.de and buy a @monocles #subscription instead!