Well, they only give away partial data: For mobile number, they give away the country code, the first digit, and last 4 digits - leaving the attacker to guess the other 4 digits (that 10,000 mobile numbers - 0000-9999) For email address, they give away the 2 characters either side of @ sign and the root domain (such as .com). The legitimate account holder can verify this is correct and proceed to get the data they need to proceed. The hacker just sits back and hopes the legitimate user will be inattentive and do the wrong thing by mistake. As a legitimate end user, I'm happy with this. If I do not recognize the info provided, it means I may have forgotten my email to start with and can at least go back and try a different email that leaks enough information for me to know I'm on the right track.
... View more