Facebook knew for years scammers were harvesting users’ details with phone number searches. Did nothing

Zuck: “At some point during the last several years, someone has probably accessed your public information.”

Facebook knew for years scammers were harvesting users' details with phone number searches. Did nothing

Facebook ignored a widely-known privacy flaw for years, allowing scammers, spammers, and other malicious parties to scoop up virtually all users’ names and profile details.

As I explained way back in 2012, when I was writing for the Sophos Naked Security blog, simply entering someone’s phone number or email address into Facebook’s search box would perform a reverse look-up and tell you who it belonged to, with any information they shared publicly on their Facebook profile.

Facebook had set the default setting for “Who can look you up using the email address or phone number you provided?” to “Everybody”. Which, of course, was the weakest possible privacy: no privacy at all.

Sign up to our free newsletter.
Security news, advice, and tips.

Facebook knew that most people would never bother to change the setting, and at the same time pressured users to enter a phone number when creating an account or during verification.

Three years passed, and a software developer wrote just a few lines of code which automatically cycled through every possible mobile number in the UK, United States, and Canada, scooping up users’ names, photos, and other data.

That kind of information could be pretty useful for a scammer. For instance, they could phone you up pretending to be your mobile phone company, and refer to you by your name to appear more convincing.

Facebook didn’t stop the developer’s code from accessing hundreds of millions of its users’ profiles. What they did do is tell him that they didn’t consider it an issue.

Another three years have passed, and Facebook is finding itself in hot water after the Cambridge Analytica debacle.

With its share price slammed by allegations that its business model is not taking users’ privacy seriously, Facebook published a blog this week detailing some of the changes it was making.

Finally, Facebook is acknowledging that offering a reverse look-up based on phone numbers and email addresses is disastrous, and says it is disabling the feature.

But more than that, it is admitting that “most people on Facebook could have had their public profile scraped in this way.”

Facebook blog post

Anyone who didn’t change their privacy settings after adding their phone number should assume that their information had been harvested.

Facebook chief Mark Zuckerberg acknowledged the scale of the problem in a Q&A with journalists:

“I certainly think that it is reasonable to expect that if you had that setting turned on, that at some point during the last several years, someone has probably accessed your public information in this way.”

How long is it going to take before people wake up to what’s going on here? Facebook’s business model is no secret, and is fundamentally incompatible with a growing number of people’s desire for online privacy.

Even when told about serious problems Facebook ignored them.


If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

3 comments on “Facebook knew for years scammers were harvesting users’ details with phone number searches. Did nothing”

  1. drsolly

    I knew there was a good reason why I wouldn't give Facebook my mobile number.

  2. JoePeach

    Buy a cheap magic jack, you can link it to your PC, Android, etc! NEVER give your cell to anyone, unless all other options are exhausted.

  3. coyote

    Well he also spouted the ridiculous notion that 'you have nothing to fear if you have nothing to hide'… So why anyone would trust him is beyond me; esp why anyone would BLINDLY trust him. Funny thing is governments love using that line too. I want to say the first article I read about the recent revelation quoted him as calling people idiots for trusting him. Something along those lines anyway. Says plenty though.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.