Why you should NEVER put your phone number on Facebook: Setting means anyone can find you using your digits

 

• Facebook users are encouraged to add phone numbers to their profile
• But if they do, anyone can search them by typing number into search bar 
• To prove the dangers, an engineer sent millions of randomly-generated numbers into Facebook's API and received millions of data about users
• But phone numbers can be hidden on Facebook's Privacy settings menu 

Facebook users may want to think twice before putting a phone number on their profile.

The social network encourages anybody who uploads pictures from their mobile to add their number too. 

But if they do, it means anyone can potentially find their name, picture and location simply by typing this number into the search bar. 

Underlining the security dangers, a British software engineer has even harvested thousands of data about users, simply by generating random phone numbers.

Scroll down for video 

+3

Reza Moaiandin, technical director of Salt.agency, used a coding script to generate every possible number combination in the UK, US and Canada. He then sent millions of numbers to Facebook's app-building program (API) in bulk. In return, he received millions of unobstructed personal profiles 

Reza Moaiandin, technical director of Salt.agency, used a coding script to generate every possible number combination in the UK, US and Canada. 

He then sent millions of numbers to Facebook's app-building program (API) in bulk. In return, he received millions of unobstructed personal profiles.

Importantly though, the data collected was only data that those users had made publicly available.

There are two relevant privacy settings that apply to this data scrape. Firstly, in the About Me section on a person's profile, they can select which groups of people, from friends to work colleagues, can see their personal data. 

HOW CYBER CRIMINALS SELL DATA 

The cyber criminals’ black market has become even more profitable than the illegal drug trade, according to a report last year by the national security division of RAND Corporation.

Pictures, names, phone numbers, education history, and locations can be sold on a network of illegal trading sites, the report found.

Typically, hackers sell vast quantities of data in bulk for an astonishing profit.

Twitter and Facebook accounts are now more profitable than stolen credit cards, according to the report. 

This includes birthdates, relationship statuses, addresses and phone numbers. 

It is also possible for users to additionally add a phone number, but set it to be hidden from the search bar - namely in the 'Who can look me up?’ setting under Facebook’s privacy and safety tools tab.

Mr Moaiandin said in a statement to the Mail: 'With this security loophole, a person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers, enabling the harvester to then use or sell on the user details for purposes that the user may not be happy with.' 

However Facebook told the security researcher: 'We do not consider it a security vulnerability but we do have controls in place to monitor and mitigate abuse.' 

In an email to MailOnline, Facebook defended its security settings, insisting users can adjust their privacy settings to stop people searching their information using a phone number.

Make your Facebook more secure with advanced features

The spokesman added that developers using the site's APIs are subject to strict rules, and the firm uses 'rate limits' to prevent abuse of APIs, adding that they have taken action against developers who have abused those policies. 

However, even developers can't access or see information set as hidden. The problem lies in the fact many users may not be aware that they can change their privacy setting in the 'Who can look me up' menu, and that this is set to Public by default. 

In a full statement, the spokesman said: 'The privacy of people who use Facebook is extremely important to us. 

'We have industry-leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public.

'Everyone who uses Facebook has control of the information they share, this includes the information people include within their profile, and who can see this information. 

'Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and who they share it with.' 

Cyber security expert Justin Cappos, professor in computer science and engineering at NYU's Polytechnic School of Engineering, said it would be surprising if Facebook took action on the matter.

• SHARE PICTURE
• 
  
• 
  
• 
  

+3

Reza Moaiandin used a script to find all possible number combinations in the US, the UK and Canada before running them in bulk through Facebook's API to receive millions of profiles. This is a grab from his blog

Unlike Apple, which focuses on building products, Facebook is founded on the idea of freely collating and sharing data.

'Their core mission statement is to allow people to go and disseminate information. So it's not surprising that they haven't responded to this,' Professor Cappos told Daily Mail Online.

'A company like Apple has quite a different perspective on who uses its devices. They are not trying to monetize you, they are trying to make really nice devices. 

'If you're providing information to an organization like Facebook, they are making money off sharing that information about you.'

Ultimately, he said, the responsibility will always lie with the user.

'I always say only share things on Facebook that you would post publicly. Imagine a jealous ex-lover going and finding your new number or companies using it for marketing purposes. It is all in the open.'