Facebook Users Mobile Phone numbers Exposed!

Our friends at Facecrooks have just written about a potentially massive privacy breach involving the mobile phone numbers of Facebook users and a pretty sneaky privacy setting – and it threatens to unravel all of Facebook’s work at repairing their badly damaged reputation on the online privacy scene.

The problem arises with two conflicting privacy settings for a Facebook user’s mobile number. Now we know many Facebook users have given Facebook their mobile phone number because it adds to the security of an account. For example a user can set login approvals via text from unknown devices, and it can also help a user regain control of a compromised Facebook account.

Your phone numbers recommended setting – “Only Me” – but this is not the only setting…

Now if you have ever read our guide on getting your privacy settings correct you’ll know that if you do decide to give Facebook your mobile number then you should set it to “Only Me” in your “Update Info” section that appears at the top of your timeline.

The problem is, however, there is another setting that can allow another user to look up your profile based on your theoretically private phone number – and the bad news is two-fold. Firstly, the default setting is “Everyone” (meaning anyone can look you up) and secondly you cannot currently set it to “only me” ! In fact the most secure setting it can be set to is “Friends” only.

This second conflicting setting is found under “Privacy settings” and then under “How you connect”. The option “Who can look you up using the email address or phone number you provided?” is set to Everyone by default. So even though you have set your phone number as “Only Me” under your information settings, users can still look you up using your mobile phone number.

You can see the top option is set to everyone by default.

So what does this mean?

It means that if you type the full phone number into the Facebook Search feature of another user, providing that user’s second setting still has its default value of “Everyone”, Facebook will return the profile of the user with that phone number, even if their phone number is set to “Only Me” in the information settings. Try it for yourself – type a friend’s number into Facebook. If they have given it to Facebook and have left the second setting as its default value you will see their profile returned by Facebook!

Now this doesn’t mean a user can retrieve the phone number of another specific user, as you have to first type in the full phone number before Facebook retrieves the corresponding Facebook profile, but this isn’t the point….

The point is, given the number of users who have their phone number on Facebook, it does not take too long typing in random phone numbers before you begin returning results. And these results can be of any Facebook user, not just your friends.

And worst still, you can write automated scripts that can harvest random phone numbers and their corresponding profiles automatically, and according to the Facecrooks article, using the mobile version of Facebook there is no limit to the number of mobile phone numbers that could be compromised by scammers.

We start typing in phone numbers, and before you know it, a result pops up!

And using these scripts scammers can compile a large number of phone numbers and the names of the people who own them – any advertisers dream, and these lists can go for a lot of money in the underground market.

In an ideal world, setting your phone number to “Only Me” should mean just that. But Facebook has once again proved itself to be anything from ideal. Conflicting privacy settings should never happen and this is not going to do their reputation any good.

And perhaps what is worse than this privacy issue is Facebook’s response to it. The person who discovered the loophole, Suriya Prakash, has contacted Facebook 5 times, and thus far they have refused to see this as any kind of problem! (UPDATE: In fact, we have found out that the issue was discovered back in June, and was reported back then – yet still Facebook have done nothing – check out this video by user ‘AintBigAintClever’ reporting the privacy issue.)

So for the moment you have two options – forgo the extra level of security and remove your mobile phone number from Facebook, or set the second setting to “Friends” only and wait for Facebook to implement another “Only Me” option (or better yet remove this second setting all together).

Please pass this information on to your Facebook friends. It is important that every user either removes their phone number from Facebook or changes this second setting to “friends” until this issue is resolved.

Thanks to Facecrooks for this information – their article can be read here and we recommend you do read it. Also thanks to Suriya Prakash who discovered the glaring privacy hole in the first place.