Facebook Letting People Harvest Phone Numbers

Phone number reverse-lookups are a favorite tool for DIY investigations… who’s that jerk calling you? who scribbled their number on the back of that ransom note? You get the idea.

PeaceFire founder and general all-around early-Internet anti-censorship badass Bennett Haselton points out Facebook’s now gotten into the revere-lookup game by letting you search for profiles by listed phone numbers… and it seems like privacy settings don’t help much. They also implemented it in such a way that you can get huge numbers of people’s profiles by sequentially searching a given phone number space. Odds are bad guys of every stripe are already taking advantage of this.

Unfortunately, finding people’s phone numbers was the only really useful thing that site ever seemed to offer me. As much as I’m loathe to recommend people feed them any more data by e.g logging in, consider doing so long enough to delete your phone number.

As it stands, phone numbers seem to be the new “unique person” identifier of the Internet age… a surprising number of websites are now using it for situations where asking for a credit card or identity number (passport/SSN/etc) would seem too much.

“I am not a number, I am a free man!”

We need a Mailinator for phone numbers.


” A few weeks ago a friend of mine said she was getting harassing text messages from a particular phone number, which she didn’t recognize and which didn’t appear in any of her own records. On a whim, I suggested entering the number into the Facebook search box, whereupon we found the guy’s profile (even though he had no friends in common with the account we were logged in under), realized who he was, and ratted the thirty-something out to his Mom.

Then I thought: Is it really a good idea, for this to be possible? I tried entering consecutive phone numbers (starting with a random valid number, and varying the last 2 digits from 00 to 99) into Facebook’s search box, and 13 of them came up with valid matches. None of those matches had any friends in common with the account we were searching from; as far as I can tell, anybody could enter any phone number into Facebook’s search box and find the account associated with it, if there is one.

I think this has non-trivial privacy implications. (I repeatedly contacted Facebook explaining why I think this is a problem, but they haven’t responded.) I’m not talking about the ability to find the account associated with a particular phone number — I think relatively few people have a legitimate need to send text messages from a truly anonymous phone number, and if they do, it’s their own fault if they’re dumb enough to put that number on their Facebook profile. And it wouldn’t be a practical way to unmask the phone number associated with a particular account, either — even if you knew the person’s area code, and narrowed down the list of possible exchange numbers following the area code, you’d still have to try tens of thousands of possibilities.

Rather, the problem is that you could use this technique to build up a database of phone numbers and associated accounts without targeting any specific phone number or account. Not only would you know the names associated with each of the numbers, you could associate the phone number with anything else that was discoverable from the person’s Facebook profile — which usually includes their location, their interests, and the names of their other friends. (By default, all such information is visible on your Facebook profile — even to users who aren’t your Facebook friends and have no friends in common with you — but your contact information is supposed to be hidden from other users unless you’ve confirmed them as friends.) “

%d bloggers like this: