Facebook lets people look up your profile using your 'security' phone number

Facebook is facing criticism over the way it handles users' personal details, after it emerged the social network is using phone numbers initially handed over as a security measure for other purposes.

Since 2011, Facebook has asked users for their phone numbers in order to enable "two-factor authentication" (2FA) - a security feature that sends a text message whenever you tries to login.

Anyone who manages a Facebook page with a large number of followers is required to set up 2FA, to prevent the page from being hacked.

It was understood that the phone numbers would be used for this purpose and this purpose alone, but over the years, Facebook has reportedly been using the phone numbers in other ways.

Specifically, the numbers can now be used to find users' profiles - and there's no way of opting out.

The issue was raised in a tweetstorm by Jeremy Burge of Emojipedia , who accused Facebook of playing fast and loose with users' personal data.

"For years Facebook claimed that adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that," he wrote.

He pointed out that the prompt to set up 2FA originally read: "Add your phone number to help secure your account," but in September 2018, Facebook added the words "and more" to the end of a statement.

Users who once added their phone number for security reasons are now faced with a privacy setting that asks them who can look them up using that number.

The options are "everyone", "friends of friends", or "friends". There is no way stop anyone from finding you using your phone number, and the default option is "everyone".

Moreover, Facebook shares security numbers with Instagram. Users are encouraged to update their contact details on its sister service if they have a new phone number on the main Facebook app.

"Using a phone number to sign up for services has been the single greatest coup for the social media and advertising industries," wrote Burge on Twitter.

"One unique ID that is used to link your identity across every platform on the internet. That is why every startup wants your phone number.

"It's shocking that this one number is used for usernames, authentication (2FA), advertising tracking, geolocation and more.

"And it's the same piece of info you have to give to a random plumber to come and fix the boiler."

Burge was joined in his criticism by other online privacy advocates, who accused Facebook of putting its users at risk.

"Using security to further weaken privacy is a lousy move - especially since phone numbers can be hijacked to weaken security," security expert Zeynep Tufekci wrote on Twitter.

Stanford professor Alex Stamos added: "This is why tech companies need somebody advocating for security as a first-class goal in product.

"FB can’t credibly require 2FA for high-risk accounts without segmenting that from search & ads."

Facebook addressed some of Burge's criticisms in a statement, claiming that it is now possible to set up 2FA without registering a phone number.

It also clarified that the ability to enter another person's phone number into the Facebook search bar to help find their profile was removed in April 2018.

"Today, the 'Who can look me up?' settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone," a spokesperson for the company said.

"We appreciate the feedback we've received about these settings and will take it into account."