When 2FA means sweet FA privacy: Facebook admits it slurps mobe numbers for more than just profile security

'This isn’t a mistake now, this is clearly an intentional product choice' says ex-CSO Stamos

Another week, another Facebook privacy storm.

This time, the Silicon Valley giant has been caught red-handed using people's cellphone numbers, provided exclusively for two-factor authentication, for targeted advertising and search – after it previously insinuated it wouldn't do that.

Folks handing over their mobile numbers to protect their accounts from takeovers and hijackings thought the contact detail would be used for just that: security. Instead, Facebook is using the numbers to link netizens to other people, and target them with online ads.

For example, if someone you know – let's call her Sarah – has given her number to Facebook for two-factor authentication purposes, and you allow the Facebook app to access your smartphone's contacts book, and it sees Sarah's number in there, it will offer to connect you two up, even though Sarah thought her number was being used for security only, and not for search. This is not a particularly healthy scenario, for instance, if you and Sarah are no longer, or never were, friends in real life, and yet Facebook wants to wire you up anyway.

Following online outcry over the weekend, a Facebook spokesperson told us today: "We appreciate the feedback we've received about these settings, and will take it into account."

Don't hold your breath.


Outrage over Facebook's phone-number slurping was sparked on Friday by Emojipedia founder Jeremy Burge, who publicly criticized Mark Zuckerberg's information-harvesting operation for making users searchable via phone numbers submitted for the ostensible purpose of account security.

"For years Facebook claimed that adding a phone number for 2FA was only for security," he said via Twitter. "Now it can be searched and there's no way to disable that."

Facebook had partly disabled such phone-number searches in the past, preventing people from finding someone's profile directly from their number: in April 2018, the ad biz said it had switched off phone number search following the Cambridge Analytica scandal, citing abuse. "Until today, people could enter another person’s phone number or email address into Facebook search to help find them," said CTO Mike Schroepfer in a blog post at the time "So we have now disabled this feature."

What remains is that Facebook will use submitted phone numbers to suggest friend connections for those upload related contact information, even if that friend only provided the phone number for 2FA account security.

Facebook CEO Mark Zuckerberg

Correction: Last month, we called Zuckerberg a moron. We apologize. In fact, he and Facebook are a fscking disgrace


"Today, the 'Who can look me up?' settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone," a Facebook spokesperson explained to The Register on Monday in an email.

"Control" in this case doesn't mean limit phone number usage entirely; it means a menu that makes the number available to "Everyone," "Friends of Friends," or just "Friends" during a contact upload lookup. Users have the option to remove their phone number from their account, though that would preclude using it for account recovery. As of May last year, Facebook began providing support for 2FA without a phone number via authenticator apps. Thus you can do multi-factor authentication with Facebook: remove the phone-based 2FA and reactivate it using an authenticator app.

In any event, it may still be possible however to abuse Facebook's friend-finding feature by uploading large numbers of contacts via a mobile phone in the hope that Facebook will return a useful response for some of them. Also, searching by phone number on WhatsApp works, if you uploaded that number when you uploaded that person's contact information.

Facebook last year amended its solicitation to submit a phone number with a link explaining that the number would be used for other purposes. As Facebook explains on a support page, it uses phone numbers for account security, to help friends find you, and for account recovery.

The devil is in the details

Not mentioned on its help page is the fact that Facebook uses phone numbers for advertising. Researchers from Princeton University and Northeastern University in the US last year examined how Facebook uses personally identifiable information supplied by users.

They found "that phone numbers and email addresses added as profile attributes, those provided for security purposes such as two-factor authentication, those provided to the Facebook Messenger app for the purpose of messaging, and those included in friends’ uploaded contact databases are all used by Facebook to allow advertisers to target users."

According to Alex Stamos, Facebook's former chief security officer, the antisocial network at one point planned to segregate phone numbers provided for 2FA from phone numbers provided for other purposes, but that now no longer seems to be the case.

"This isn’t a mistake now, this is clearly an intentional product choice," he said via Twitter, adding that Facebook needs someone in the product design chain advocating for security. "[Facebook] can’t credibly require 2FA for high-risk accounts without segmenting that from search and ads," he said.

The Register asked Facebook to respond to the tweet from Stamos but Facebook's spokesperson didn't answer.

All of this is taking place as Facebook pushes ahead with a plan to consolidate its user data across Facebook, Instagram and WhatsApp, in an effort to blunt the impact of Europe's GDPR privacy regime. That's a goal Facebook COO Sheryl Sandberg has reportedly been pursuing for years, as a recently revealed cache of documents suggests. ®

Similar topics

Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021