Facebook’s promises are getting harder and harder to believe. Despite telling people that phone numbers used for two-factor authentication (2FA) wouldn’t be used for anything else, it’s been revealed that the company also uses those numbers to help Facebook users find people’s accounts, and there’s no way to prevent that process.
We already knew that Facebook had lied about only using phone numbers gathered via 2FA setup for security purposes: researchers discovered in September 2018 that Facebook used those numbers to inform targeted advertisements. This wasn’t disclosed to users.
But the ability to find someone’s Facebook account with their phone number was only publicized Friday by Jeremy Burge, chief emoji officer at Emojipedia, an emoji reference website. He explained in a series of tweets that Facebook lets its users decide if their phone numbers can be used this way by everyone, friends of friends, or friends. There’s no opting out.
Worse still is the fact that this option is set to “everyone” by default. At this point, it’s not clear how Facebook’s decision to stop using phone numbers in its search results benefited users, since this new feature essentially does the same thing.
Facebook also apparently shares numbers used for 2FA with its other services. Burge shared a screenshot of Instagram, which Facebook owns, asking him to confirm a phone number that he only shared with Facebook to set up 2FA on an account. Numbers are also shared with WhatsApp, another Facebook property, the whistleblower said.
