Your phone number may not be as private on Facebook as you think - and how to fix it

Filed Under: Facebook, Featured, Mobile, Privacy

If you use Facebook, your phone number may not be as private as you think.

Facebook phone numbers aren't necessarily private

A way in which Facebook privacy can be abused has come to light that will shock many users, but that the social network itself seems to consider a deliberate feature.

If you enter someone's phone number into the search box on Facebook, the site can perform a reverse look-up and tell you who the phone number belongs to.

Reverse look-up of a phone number on FacebookYou can see in the screenshot how I entered the mobile phone number of someone I am not Facebook friends with, and instantly was offered their name, photograph and a link to their profile.

When I spoke to the Facebook user in question, she was shocked and surprised that I had been able to find her profile simply by entering her mobile phone number.

She confirmed that her privacy settings were correctly locked down to such an extent that her phone number should only be accessible to her.

Think this Facebook privacy setting protects your phone number?  Think again

In her opinion, a privacy setting that says "Only me" attached to her phone number meant it shouldn't be shared with any of her Facebook friends - and certainly should not accessible by me, as I'm not even one of her online friends.

And yet, if I entered her phone number into Facebook it would instantly tell me that she owned the number.

Is this a problem? Well, yes. I think it is.

Imagine, for instance, if a company knew the telephone numbers of people calling it - they would now be able to determine your name too, and possibly use it for more aggressive marketing.

Phone number on a napkin. Image from ShutterstockOr picture meeting someone at a party and giving them your phone number - and not realising that you were also potentially sharing your full name and other contact information.

You can probably dream up other privacy concerns of your own about this Facebook "feature".

It should be your choice as to whether your phone number is connected with your Facebook profile, and whether someone can use one to find the other.

Even if you altered your privacy settings to ensure that your phone number is only visible to you, other people can still use it to look you up.

How to make your phone number more private on Facebook

The solution is to enter another section of Facebook's privacy settings called "How you connect".

Are you allowing anyone to search for you on Facebook via your phone number?

You will find the default Facebook chooses for "Who can look you up using the email address or phone number you provided?" is "Everybody".

Once again, Facebook chose the least private default for your information.

To have tighter control over your phone number, and limit those who can perform a reverse look-up against your number, you will need to change that setting to "Friend of friends" or "Friends only".

Of course, this will also mean that the same privacy settings apply to the email address you use on Facebook.

Facebook wants your mobile phone number

Facebook is becoming more and more aggressive in its pursuit of users' phone numbers.

Remember, Facebook has been wanting your mobile phone number for some time and hasn't been above using scare tactics to get you to hand it over.

Many users are forced to enter a mobile number for authentication when they create an account, or to be used as a security check if suspicious activity is detected.

Facebook encourages users to enter mobile phone numbers

My advice is always to be careful what phone numbers you share with websites.

There may be a case for keeping an old phone in a drawer, with a pay-as-you-go SIM. That throwaway number can be used for websites that demand a phone contact, but you don't feel they really need it. Keep your real, regular phone number closer to your chest - and only share it with websites which you believe have a genuine requirement for it.

If you are on Facebook, and want to learn more about security and privacy issues on the social network, join the Naked Security Facebook page where our 190,000 strong community regularly discuss the latest threats.

Phone number on a napkin image from Shutterstock.

, , ,

You might like

42 Responses to Your phone number may not be as private on Facebook as you think - and how to fix it

  1. Matt · 652 days ago

    Just one more reason I am glad I left Facebook...

  2. Pamela Fleischmann · 652 days ago

    I dont know if it is a facebook issue or not, but I recently purchased my first android phone. As I was setting it up I discovered that it had sucked up ALL of my facebook friends phone numbers and added them to my contacts. I did NOT ask it to do this, most of them I would not call and do not need that much information on them. And now I cannot delete them. So you can get this information from facebook without even trying?

    • Jessica Prout-Hartwell · 652 days ago

      you can actually change that, but one of the buttons you clicked thru actually asked you if you wanted to allow facebook access to your contacts. but if you go into your privacy settings on of the options allows you to remove that right. then log out of facebook from your phone and log back in and u shouldnt have a million unwanted contacts anymore

  3. jackharrybill · 652 days ago

    What's even worse is that it can get it wrong. I just tried my mobile phone number and FB thought it belonged to my next door neighbour.

  4. Stephanie Loud · 652 days ago

    Facebook have never asked me for my mobile or landline phone number and I don't have it on my profile.

    • Graham Cluley · 652 days ago

      I'm pleased to hear it!

      Unfortunately many other Facebook users have had the experience of the site asking for their mobile phone number. In some cases, FB has insisted upon it for security reasons.

    • Sue · 652 days ago

      Me either and I don't understand why people would give theirs.

  5. Nicolle · 652 days ago

    The only problem I have with this article is the meeting someone at a party example. Why would you readily give your number and not name?

    This is why I don't have my number in Facebook.

    • Graham Cluley · 652 days ago

      I'm far too old for such things, and even when I wasn't it never happened to me alas, but I can imagine that young hot-to-trot people might exchange phone numbers and just their first name rather than wanting to reveal their entire identity.

  6. Annoyed · 652 days ago

    It's also important to skip tracers and debt collectors! "you reached the wrong number" means nothing now

  7. Nigel · 652 days ago

    Even when I had a Facebook account, I never gave them my phone number. But I dumped Facebook quite some time ago when I realized that, as Graham says, "Once again, Facebook chose the least private default for your information."

    He’s right. Every one of their new "features" defaults to the LEAST amount of privacy, and it's incumbent upon the user to constantly be mucking around in the privacy settings to turn off the endless stream of new privacy abuses. I finally got tired of trying to keep up with all the new and different ways in which they consistently tried to undermine my privacy. I flushed my account.

    I don't believe they will ever change. Mr. Zuckerberg once called his users "dumb fucks". Facebook's persistent attempts to find new ways of exploiting users' personal information at the expense of their privacy provides no evidence that he has ever changed that attitude. Well, fine. If being a Facebook user means being a “dumb fuck”, I'm out.

  8. luci24 · 652 days ago

    Thank you so much for these useful blogs - I thought I was pretty au fait with Facebook privacy and had high privacy settings but you can never be too careful it seems! What do you make of Google mail doing much the same thing in asking for mobile no. for security reasons? Have to say I'm pretty reluctant to hand it over.

    • Sophisticat · 652 days ago

      Google have been nagging me for months to provide them with a number every time I have to login, and they won't leave me logged in for more than a couple of weeks. I just use the Skip option. If they get to the stage where it becomes mandatory, then they'll get a fake number. If I forget my password - which is the only reason they think they need it - then it's my problem.

      • Marc · 651 days ago

        They will require confirmation using a code though. So a fake number wouldnt work here.

    • Nigel · 649 days ago

      I distrust Google only somewhat less than I distrust Facebook. Their motto, "Don't be evil", conveniently avoids any definition of what they mean by "evil", and in any case it's a far cry from "Be good". They used their street view cam as a pretext for mapping the location of wireless routers. How do I know they're not tracking the location of mobile phones?

      You know, this business about offering so-called "free" services that aren't free at all really bugs me. I understand that Google is in business, and that it's not reasonable to expect them to provide services that are really free.

      What bugs me is that they hide what the real cost (in privacy) actually is. If they were honest and open about it — "Here's the deal. We'll provide you with this, and in exchange, you let us do that." ...and then explain exactly what "that" is, and say exactly what it costs me in terms of privacy — then I'd trust them far more. But that's not what they do. Read their terms of service. It's a monument to ambiguity.

      And how about this one: "Google processes personal information on our servers in many countries around the world. We may process your personal information on a server located outside the country where you live." Oh...that makes me feel much better. Not.

      Google will never get my phone number. If giving them a phone number becomes a requirement of having an account, then I will not have an account. In that case, the price of their "free" services will be far too high.

  9. XXXX · 652 days ago

    Shouldn't this problem of invasion of privacy be solvable by simply not entering your phone number ANYWHERE on facebook. Like duh!

    • Terry McLaren · 541 days ago

      never had to enter phone number before but now they put that SMS on so I can't get in..I don't have a cell phone. I like facebook since I have people I know on it ...I also have just a few other people on that I play games with...if I use another account I won't have anyone & will have to start all over..can you help me.I'm on disability & can't do very much walking so I'm on face alot..I have 2 people that I chat with..how do I get that SMS off.. I tried phoning facebook but, but they aren't answering the phone..

  10. Cat · 652 days ago

    Yes, that security screen saying that you need to add a mobile phone number to make your account more secure is confusing to some. And it says your security risk is high if you don't enter it. Some people think they HAVE to enter their number just to get past this screen. YOU CAN CLICK PAST IT. All you have to do is click HOME or what ever on the blue Facebook toolbar that shows up top above the Security Notice.

    If you have never been asked for your phone number, perhaps they already have it? Possibly you gave it years ago, and don't remember? Or, you clicked the "LEAVE ME LOGGED IN" Button and you never log out of Facebook? I get this security screen whenever I log out, and back in again. It pops up just as soon as I click enter after entering my password.

    Ignore it. Don't give them your number. My daughter said all of us with old accounts can get away without them having our phone number. But she said it is mandatory now to give FB a phone number when you create a new account. You can't create an account without one. So maybe a throw-away number would be good for this. Kinda like using a VISA gift card as a VISA # instead of your credit card on certain things where you don't want ID theft and bank fraud.

  11. anet · 652 days ago

    I just removed my number.

    • Anet · 652 days ago

      Update, have checked my number, no details come up. Have logged out and back in with no problems

  12. anonymous · 652 days ago

    Just make a number up. As long as you remember it in case you get asked to verify it, then it's fine. I do that with websites all the time, making something up to fit the formula when I am forced to give them information I don't think they need but that they have made a mandatory field. It is rare for such sites to test the number to make sure you haven't given them an old one.

    Hmm, so you cannot comment in here about unnecessary requirements for personal details without giving your name and a valid email address....

    • Graham Cluley · 652 days ago

      As you discovered, we allow people to post anonymously. :)

      A real email address is optional - but does obviously help us if your comment warrants private follow-up.

    • ben · 651 days ago

      to get a FB account you can't just make a number up; they send you an SMS with an activation code.

  13. BDJ · 652 days ago

    This used to be worse. Years ago, you could enter a partial phone number into the FB search field and get returns for everyone whose number started with those digits. This could end up providing you with a phone number for a somewhat random person in your area with this approach:

    1. Enter the area code, a known common prefix for your area code and a couple of random digits.
    2. Start adding or changing the next digit to get a set of search results that includes a profile pic that you like.
    3. Cycle through the possible last digits until it returns that person.
    4. Now you have the phone number of an individual you targeted out of a random set of users.

    I submitted this as a security flaw to them back when I found it and after a couple of emails (with no response) and a couple of months, this capability disappeared from the search function.

  14. Recvering addict · 652 days ago

    People in AA and similar 12-Step addiction recovery groups love to keep in touch by phone and only want to share first names for obvious reasons. I hope all recovering alcoholics and addicts read this article.

  15. theo · 652 days ago

    guys, same applies for emails, not just phone numbers

    • Marc · 651 days ago

      Personally I have I think at last count 57 accounts. Most of which are for spam. Might be a overkill on the email accounts true. But It means I dont get things I consider spam to my account. I even set up fake names on those accounts so the name saying this is from "Bob J Smith" doesnt show up. Though I do use a legit one for places like this because I do believe the information is useful and I like it.

  16. Solbu · 652 days ago

    If facebook in the future ever decides to require that the users register with a phone number, then I'm closing my account.

    I alreaddy did that with another social network. The network was closed a year or two after that, when most of their userbase had left the site.

  17. Richard · 651 days ago

    "... and isn't been above using scare tactics ..."

    "Isn't been" isn't valid English!

  18. Art King · 651 days ago

    I never cease to be amazed at people's righteous indignation upon learning that a social network site has default settings promoting social networking. This is the power of facebook. And for those paranoid souls who don't want to social network, fine, nobody is forcing you to join.

    • Tom · 636 days ago

      They do not promote social networking in fact they punish you for trying to use facebook as a social network. You are not to talk, contact or msg anyone you don't know in real life even if your trying to play there games that ask you to do just that. lol Facebook is not a real social network it just pretends to be one.

  19. Andrew Symmons · 651 days ago

    I sometime wonder why I signed up to Facebook with it's leaky security. I was warned though. but I guess it's good to make friends and talk

  20. CrankyYankee · 651 days ago

    I'm in the phonebook and on a bunch of those 'find-a-phone-number' sites on the internet.
    Having or not having my phonenumber on Facebook isn't going to make much difference. If somebody wants to find me, they will.

  21. Andrew Ludgate · 651 days ago

    When a site asks me for a phone number, I generate a new one with Google Voice. I can then receive SMS messages as regular email, and use all the filtering systems the service provides. As a bonus, the numbers I use aren't even in the same country as I am, so there's not much someone could do with a throwaway phone number.

    That said, my first response when most sites ask me for my number is to leave that site and never go back (with obvious exceptions).

  22. Bill Horvath II · 651 days ago

    Check out the Burner app for a nice solution for this problem. (I know it's available on iOS; not sure about Android.)

  23. Compbl · 650 days ago

    This is what a google voice number is good for!!!

  24. Dilan · 650 days ago

    Thanks for this article, I just checked my settings and sure enough it was set to Everyone.

  25. Newgod · 78 days ago

    I Agree with this, Facebook Google they are just trying to get as much info as they can about their users, Why do they need that in the first place, obviously for spying in us, a mobile phone can be used to track you in the whole world, your mobile phone will give the exact location where you are at any given time, which countries to visit, where you stay,who you call and talk about what, there are military grade softwares that can activate the phones recievers and listen to what is being said even when the phone is not active, the camera can also be activated remotely from a computer which is in another country, they will see all your pics, they will record anything you say with the cam,
    many people say that its only used on people with high level importance like politicians and businessmen etc, but thats not true, the policy of google and facebook is to spy on everyone so that they know who in the world thinks what and does what,,
    the only way to stand up to this, is leave facebook and google services,
    if you value your privacy that is,,
    Newgod

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.