Burge's tweet thread highlighted that Facebook's default settings allow anyone - regardless if they have a Facebook account - to look up your profile with your 2FA phone number. A Facebook spokesperson told TechCrunch that the settings are "not new" and went on adding that, "the setting applies to any phone numbers you added to your profile and isn't specific to any feature". The default setting is "everyone", but you can change that to "friends of friends" or just "friends". Not only are apps more secure, but it means you won't have to hand out your phone number to companies like Facebook. One option that's not present, though, is the ability to select "no one" - which would of course prevent anyone from looking you up by your phone number, potentially tying your number to your actual Facebook profile for anyone who wants to search for it.
'Facebook 2FA numbers are also shared with Instagram which prompts you "is this your phone number?" once you add to FB, ' Burge added. In other words, people can search for your phone number on Facebook and associate that to your name and other information, even though the objective for which you shared your number with Facebook in the first place was entirely different.
The social network previously removed the option to search for profiles by phone number after admitting "most people on Facebook could have had their public profile scraped in this way". Facebook says it's done so to make sure you find people you know but aren't yet friends with. Researchers from Princeton University and Northeastern University in the U.S. previous year examined how Facebook uses personally identifiable information supplied by users.
Many Facebook users were reluctant to use their phone number for two-factor authentication, despite the firm's insistence - a concern that further deepened amid numerous data scandals and reports from users who were sent "non-security related" texts after signing up for the feature. The great money-making engine of advertising, in other words, is apparently too important to let a thing like a user's protectiveness of their phone number get in the way.
Sadly, the same can't be said about Facebook.
He has some simple advice for Facebook users: "TL;DR: Login-with-Phone-Number is the new Login-with-Facebook". "[Facebook] can't credibly require 2FA for high-risk accounts without segmenting that from search and ads", he said.