Facebook Isn’t Keeping Your 2FA Phone Number Private

Posted on March 4, 2019 by Mehedi Hassan in Social with 13 Comments

Facebook’s privacy problems never end. The latest edition of Facebook and it’s poor handling of users data involves phone numbers used to actually protect your Facebook account.

The company lets users enable two-factor authentication to add an extra layer of security to their account using their phone numbers, but that phone number is being used in other ways, too. As first noticed by Twitter user Jeremy Burge, the company is using your 2FA number to let anyone look your account up with your phone number:

By default, the feature lets anyone search your account with your phone number, which is a major privacy problem. Just because someone has your phone number does not mean they should be able to look you up on Facebook and find your account, so you can imagine all the different problems surrounding this issue.

And what’s even worse is that Facebook does a poor job at informing users how their 2FA number is used for other parts of the service. And Facebook also doesn’t provide users with a way to completely turn off the lookup feature, even though it had said back in 2018 that the featured had been disabled.

A Facebook spokesperson simply told TechCrunch how the feature is not new, and how it affects all other phone numbers that you add on your Facebook account, not just the number you use for 2FA.

Still, Facebook’s ignorance towards features like this just goes to show the company’s view on sensitive user data. It’s almost like the “Facebook doesn’t care about your privacy” idea is becoming increasingly more accurate by the month.

Tagged with , ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (13)

13 responses to “Facebook Isn’t Keeping Your 2FA Phone Number Private”

  1. Daekar

    It's like they're not even trying.

    It blows my mind people still use this service. There is practically nothing it offers that can't be achieved on other platforms, some of which are FAR more secure and offer more control.

    • mattbg

      In reply to Daekar:

      Facebook privacy is becoming like Donald Trump in some ways - there's almost no story you can write about Facebook privacy that would surprise anyone anymore.

      I wouldn't be surprised if these stories just fly over the head of anyone that has already decided they'll keep using Facebook. Hopefully if something extremely serious does come about then the media will give it the sustained attention it deserves.

    • hrlngrv

      In reply to Daekar:

      . . . some of which are FAR more secure . . .

      Shouldn't that be most?

  2. orbsitron

    mattbg wrote on the "Premium Comments" side, that...

    "...Hopefully if something extremely serious does come about then the media will give it the sustained attention it deserves."

    Matt, while I appreciate what you are saying here - that Facebook is not being scrutinized or held accountable to the degree that they should (and I largely agree with you on that point), the end deosn't justify the means.  

    We should _never_ hope something extremely serious happens.

    Instead, I'm hoping a few things:

    1) That the appropriate scrutiny and accountability begin to take place.

    2) Facebook begins to improve their policies and behavior.

    • mattbg

      In reply to orbsitron:

      I wasn't hoping that something serious would happen. I was hoping that IF something extremely serious happened in relation to Facebook privacy, the media would pay due attention and focus on it for more than a single article squeezed in between stories about the latest Fortnite update.

      Facebook stories seem to come and go. If you blink you might miss it in your news feed. This wasn't always the case, but there are now so many incremental Facebook concerns that it has become this way.

      • wright_is

        In reply to mattbg:

        The problem is, there have been dozens of serious things that have happened in terms of Facebook privacy, but they quickly get swept under the carpet.

        Just look at Max Schremms, when was the last time his cases were even mentioned in the press?

        This phone number 2FA is a clear breach of GDPR, yet it is being handled quietly at the moment.

  3. A_lurker

    Just because I have someone's phone number does not mean they want me to have access to their account. There are many reasons why I might have your phone number.

  4. kjb434

    Thank god I never willingly gave them my number or access to my contacts. After uninstalling their apps on all platforms, I found I only look at Facebook through a browser (behind Pi-Hole and Ublock Origin) about once a month.

  5. wright_is

    Under GDPR, it is illegal to use the telephone number (or any personal information) for any other purpose than the one that the user explicitly signed up for.

    If the user signed up for 2FA and Facebook is using it to allow people to search for the number and link it to a Facebook account, that is illegal.

    A worse offence would be if they sold the telephone numbers to third parties or for advertising... Oh, wait, they are using it for advertising.

  6. locust infested orchard inc

    Surely the headline should read, "Facebook isn’t keeping any of their users' private information, private" ?

    This news is hardly surprising, for it was only a matter of time before the lack of privacy given to the users' 2FA number surfaced (and other numbers naively divulged by the user to Fakebook, according to a Techcrunch article having been approached by a Fakebook spokesperson).

    It makes me wonder if a similar situation may become to exist with WhatsApp, after Fakebook inevitably commences the loosening of security of the 2014 acquired comms platform.

    Fakebook is essentially imploding from within with its continual desire to make $$$$$ from the selling of users' data.

  7. markbyrn

    So if you goto the Contact and Basic Info settings and set each phone number to "only me", somebody can still look it up?

  8. Greg Green

    It’s like they’re not even trying. They’re either really clueless or they just don’t care. I have a very low opinion of FB but this still shocks me.