If you've added your phone number to Facebook for 2FA security, it can be used to search for you
Facebook has been encouraging users to enable two-factor authentication to boost the security of their accounts, but it turns out that there's a slightly sinister side to this feature.
You may well have opted to maintain an element of privacy by omitting personal information such as your address and phone number from your profile. But if you've used your mobile number to secure your account with 2FA, even if it is not visible to others, it can still be used to search for you -- and there is no way to opt out of this.
See also:
- How to enable the secret, hidden dark mode in Facebook Messenger
- Facebook to launch its Clear History tool later this year -- to the joy of privacy advocates and the pain of advertisers
- Privacy: Facebook closes controversial Onavo VPN and ceases user data collection
The point of 2FA is to increase security, so that this privacy hole exists is more than a little troubling. By default, once your mobile number has been added to your account for two-factor authentication purposes, Facebook enables anyone to search for you using it.
While it is possible to take the setting down a couple of notches so only friends, or friends of friends, can search for you in this way, there is no way to disable it entirely. Most people will be completely unaware that Facebook allows private data to be used in this way, and the default setting that is put in place is something that many will be uncomfortable with.
The issue was brought to light on Twitter by Jeremy Burge from Emojipedia:
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS
— Jeremy Burge ?? (@jeremyburge) March 1, 2019
Burge went on to point out that phone number information is also shared with other Facebook services and advertisers:
The original FB phone number prompt never mentioned "and more". It was shown for MONTHS before a link was added in September 2018 clarifying "actually we'll use this wherever we damn well please" pic.twitter.com/FcOTIZdVf5
— Jeremy Burge ?? (@jeremyburge) March 1, 2019
Facebook shares phone numbers with advertisers https://t.co/kVNBIHOae1
— Jeremy Burge ?? (@jeremyburge) March 1, 2019
He has some simple advice for Facebook users: "TL;DR: Login-with-Phone-Number is the new Login-with-Facebook. Easy to track, shared between services, it's the key to invisible mesh of your data. Don't do it."
It is certainly concerning that a phone number handed over in the name of security could be used for other things, but Facebook says that the settings highlighted "are nothing new", telling TechCrunch that "the setting applies to any phone numbers you added to your profile and isn't specific to any feature".
It is possible to set up 2FA without using a phone number, but this is the most popular, obvious and convenient route taken by users. Facebook says that the search-by-mobile-number option makes it easier to track down people you are not yet friends with on the social network, seemingly oblivious to the fact that this is precisely the point of concern. TechCrunch asked the company if an opt-out option would be added in light of the concern that had been voiced, but Facebook refused to comment on future plans.
Image credit: Anton Garin / Shutterstock