Skip to main content

Second problem found with Facebook 2FA security: phone numbers are searchable

We always recommend that people take advantage of two-factor authentication (2FA) to protect online accounts, but a second problem with Facebook 2FA has now been discovered.

The company last year admitted that it used 2FA phone numbers for ad targeting, and it has now been revealed that it also makes your phone number searchable – and you cannot fully opt out …

Jeremy Burge, the man behind Emojipedia, was the first to notice that a cellphone number you provided only for 2FA use was searchable by everyone by default.

For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that.

He noted that while Facebook now says that your phone number will be used ‘to help secure your account and more’ – with a link to further details – the two words we’ve italicised were added only in September of last year, after the ad-targeting story broke.

The original FB phone number prompt never mentioned “and more”. It was shown for MONTHS before a link was added in September 2018 clarifying “actually we’ll use this wherever we damn well please”

What this means is that if someone else uploads their contacts to Facebook – something the company encourages new users to do as a way of finding friends – you will pop up as a suggested friend if you use your phone number for 2FA.

You can restrict this, locking down your phone number so it’s only searchable by existing Facebook friends, but the default setting is ‘everyone.’

Discussion in the Twitter thread also reveals that the number is additionally shared with Facebook-owned WhatsApp and Instagram.

Here’s the page that allows you to change your phone number lookup settings from Everyone to either Friends or Friends of Friends. Note that email search is also set to Everyone by default, as is allowing search engines to link to your profile. The latter won’t show much if your content is all set to friends-only, but personally I have this switched off as well.

Burge suggests that Apple could offer the option to generate single-company phone numbers, in much the same way as Apple Pay generates one-time codes instead of revealing your real card number.

Apple should offer unlimited additional phone numbers that work as inbound SMS lines only.

Each time a service requires a phone number, iOS could generate a new number. If Apple is serious about user privacy, this is the next frontier. The current one, really.

That’s something that would need to be done in cooperation with carriers, but I think could be a welcome feature. In the meantime, our advice remains to use apps, rather than phone numbers, for 2FA whenever possible.

Via TechCrunch

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear