Facebook uses phone numbers taken for 2FA for targeted advertising. One discovery began when a study by researchers at Northeastern University and Princeton University, found that phone numbers given to Facebook for two-factor authentication (2FA) were also used to target advertising to users. They discovered this targeting method when the researchers were looking into how ad targeting really works on Facebook. 

Two-factor authentication has been a near silver-bullet that prevents phishing attacks and online account thefts. It is very effective, as it provides the user a virtual “second password”, which disables the capability of account login procedure if not provided. While it’s been  if not clear, then at least evident for a number of years that Facebook uses contact details of individuals who never personally provided their information for ad targeting purposes (harvesting people’s personal data by other means, such as other users’ mobile phone contact books which the Facebook app uploads), the revelation that numbers provided to Facebook by users in good faith, for the purpose of 2FA, is also, in its view, fair game for ads has not been so explicitly ‘fessed up to before.

According to a recent update, Facebook invades it’s users’ privacy, by using their phone numbers provided for 2FA for targeted advertising. The also use the users’ contact list which Facebook may or may not have access to, but shadows that contact information. 

Facebook is not only using the information users have willingly on Facebook for advertising, but also use contact information meant for security purposes, and also contact information users never handed over at all. Facebook has given advertisers the ability to target ads by phone numbers. What they need to do, is to only upload the phone number and email addresses they collected to Facebook, and leave Facebook to do the rest. Facebook calls this a custom audience, allowing advertisers to sell to people they know are already interested in their product or service.

The only problem here is that those advertisers can also target people who gave their phone number to Facebook, thinking that it would only be used for security reasons. They have no knowledge of their contact details are being given by Facebook to those advertisers.

Facebook Admits Using 2FA Phone Numbers For Marketing

Facebook’s spokesperson kept on insisting that the behavior is normal, and users accepted the Terms of Service, the moment they signed-in with their Facebook accounts. We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time. Besides 2FA phone numbers

Facebook also seems busy in creating “shadow profiles”. That is profiles of persons not using Facebook. It also uses this data for ad targeting as confirmed by the experiments.advertisers can literally specify exactly which users should see their ads by uploading the users’ email addresses, phone numbers, names+dates of birth, etc. In describing this work to colleagues, many computer scientists were surprised by this and were even more surprised to learn that not only Facebook, but also Google, Pinterest, and Twitter all offer related services. Thus, we think there is a significant need to educate users about how exactly targeted advertising on such platforms works today.” Alan Mislove of Northeastern University, one of the people who first discovered the FB 2FA controversy.