Facebook isn’t letting you opt-out of having people search for you by your phone number

And you thought 2FA was good for you!

Facebook isn't letting you opt-out of having people search for you by your phone number

What’s up?
Facebook is in hot water again.

Facebook? Do people still use that thing?
I know, I’m surprised too.

So what have they done this time?
Well, if you gave Facebook your phone number in order to enable SMS-based two-factor authentication (2FA) on your account, other people can find your profile just by searching for your phone number.

Sign up to our free newsletter.
Security news, advice, and tips.

Woah! SMS-based 2FA? What’s that?
Welcome to the twenty first century, Grandpa. Two-factor authentication (2FA) is one of the primary ways you stop your online accounts from being hijacked by criminals who manage to guess, steal, or work out your passwords.

Typically, you enter a six digit security code that is sent to your phone via SMS, or is generated by a smartphone app. The idea is that a hacker might know your password – but they don’t know the six digit security code. And because the security code changes every 30 seconds or so, even if they did find it out – they would be hard pressed to make use of it.

2FA isn’t perfect, but it definitely makes it harder for bad guys to break into your accounts.

So people gave Facebook their phone number so they could receive their six digit 2FA code, and Facebook…
…and Facebook let anyone look up the owner of that particular phone number just by entering it. Despite that phone number only being given for the purposes of enhancing security.

Hasn’t Facebook already been exposed for doing this?
You’re probably thinking about a few months ago, when researchers discovered that Facebook was allowing companies to target adverts at individuals by exploiting the phone numbers that were only given to enable 2FA.

No, I’m thinking of something else…
Well, perhaps you’re thinking of the time when Facebook admitted it had sent unwanted non-security-related SMS messages to phone numbers that had been given to it by users solely for the purposes for enabling 2FA for heightened security.

No, that’s not it. I remember something else to do with Facebook and phone numbers that didn’t involve 2FA.
Ahh. You’re probably remembering that until last year, simply entering someone’s phone number or email address into Facebook’s search box would perform a reverse look-up and tell you who it belonged to, displaying any information that individual shared publicly on their Facebook profile. After years of being abused, Facebook eventually decided to disable the feature.

So what’s the issue now?
Like I said, the issue is that Facebook is allowing the phone numbers that users entered solely for the purposes of heightening their online security (by enabling 2FA) to be used in reverse look-ups.

And what’s the danger in that?
If someone found out your phone number (perhaps you left a message on their answering machine, or they saw that you had called them) they could find out your name, see your profile picture, and any other information that you had made public.

Oh, and you didn’t explicitly given Facebook permission to use your phone number in that fashion. You gave Facebook your phone number in the hope that you were enhancing your privacy, not reducing it.

But surely they’ve given users who’ve enabled 2FA a way to opt-out of having their phone number available for a reverse look-up?
Firstly, that isn’t the way it should work – the onus should be on Facebook asking you to opt in for less privacy, rather than you having to opt out. Of course, this kind of behaviour is the norm for Facebook…

…but to answer your question, no there isn’t a way to opt-out. The best you can do is change your privacy settings to limit reverse look-ups to people who are your “Friends.”

Facebook lookup

Shouldn’t there be a “No one” option there?
Yes, and it should be enabled by default. Facebook, however, chose the default to be “everyone”.

I heard that SMS-based 2FA isn’t that great anyway
It’s not as secure as 2FA that uses an authentication app, but SMS-based 2FA is a heck of a lot better than no 2FA at all.

Does Facebook offer app-based 2FA?

So, folks should enable app-based 2FA on their Facebook accounts instead?
That’s one option.

What’s another option?
Well, you could always delete your Facebook accounts. It’s potentially too late because god knows who has already scraped your personal information off Facebook, and what they might be doing with it…

Frankly, if you haven’t yet spotted Facebook’s pattern of behaviour after this many years, I wonder if you ever will. Be sensible, walk away.

We made a “Smashing Security” podcast all about how to quit Facebook. Give it a listen, and maybe try quitting Facebook for yourself. It’s quite liberating.

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Facebook isn’t letting you opt-out of having people search for you by your phone number”

  1. Pete

    "Frankly, if you haven’t yet spotted Facebook’s pattern of behaviour after this many years, I wonder if you ever will. Be sensible, walk away."
    Graham: The first sentence quoted above represents an acknowledgment of reality. Good for you. But you needn't wonder; the vast majority never will recognize the price they pay in loss of privacy and security for the "free" (dis)service Facebook provides.
    The second sentence—"Be sensible, walk away."—is probably tantamount to casting pearls before oinkers. For the broad masses with whom Facebook has become a behavioral norm and an inseparable part of their daily routine, walking away is incomprehensible.
    In both cases, the underlying problem is the epidemic inability to perceive that using Facebook poses any threat to one's privacy and security in the first place.
    In fact, judging by the number of people I encounter who don't even back up their computers, I suspect that the very concept of "privacy and security" is completely off the radar of the vast majority of people who use Facebook.

  2. The blogger who never writes

    GDPR is supposed to stop naughty organisations from misusing your data in ways that you haven’t explicitly authorised them to use it -would have thought these are textbook examples for fines near or at the top of the range

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.