Do you currently have your phone number linked to your Facebook account? It’s for extra security, right? Or maybe to give you a recovery option if you forget your password? Well, you might actually want to think about removing your phone number from your Facebook account, because it turns out that connecting one to the other might open up a vulnerability that can allow others to gain access to your Book of Face info — if, that is, you don’t take a very important precaution. It’s a simple one, but it really, really matters. (Bustle has reached out to Facebook for comment and will update this post if/when we hear back.)
Update: A Facebook spokesperson tells Bustle via email, "Several online services allow people to use phone numbers to recover their accounts. We encourage people to only list current phone numbers, and if we detect the password recovery attempt as 'suspicious' we may prompt the person for more information." You can find more information about switching phone numbers on Facebook here.
Earlier: In a recent post on Medium, James Martindale, who describes himself as a “wannabe programmer” in his bio, detailed what happened when he acquired a couple of new phone numbers — and inadvertently discovered how easy it was to gain access to the Facebook accounts connected to those phone numbers. Martindale had acquired what would be the first of these new numbers when he signed up for a prepaid plan from a major carrier; when his new SIM card arrived and he popped it into his phone, however, he suddenly got two text messages. The first, he wrote, was from a stranger (probably someone who knew the phone number’s previous owner); however, the second was “one of those texts Facebook sends out when you haven’t logged in for a while… except I hadn’t added this phone number to Facebook yet,” said Martindale.
Martindale knew that you can actually search for people on Facebook using their phone numbers, so, curious, he typed in the number belonging to his new SIM card in the social network’s search bar. An account came up, so out of pure curiosity, he opened Facebook in an incognito tab in his browser and tried to sign into this account. (Did you know that you can also use your phone number as your username to sign into Facebook? Because you can. Just, y’know, FYI.)
It didn’t work, of course — but it did give him the option to “Recover Your Account”:
When you click on “Recover Your Account,” you get taken to this page:
You can also access this page if you just click “Forgot account?” under the login fields in the top right corner of the main Facebook homepage.
Martindale found that many of the recovery options were starred out, but one of them was completely visible: The “Text me a code to reset my password” option linked to his new phone number showed the number in full.
“So there it was,” he wrote. “I could change the password and lock this guy out of his account, just because he forgot to remove an old number.” What’s more, when Martindale acquired yet another SIM card and phone number, he was able to recreate the same results.
The Moral Of The Story:
If you change your phone number, update that info in your Facebook account. That means removing the old phone number at the very least; you can also add your new one if you like. Facebook won’t remind you to do this, though, so you’ve got to remember it on your own. The good news is that it’s not actually difficult; here’s how to do it:
To Disconnect Your Phone Number From Your Facebook Account:
Click or tap the main menu (it’s the three lines in the bottom right-hand corner of the screen in mobile, as seen here, or accessed by clicking the downward-facing arrow at the top of the screen on the far right on desktop). Then select “Settings.”
On mobile, select “Account Settings”...
...Then “Text Messaging.”
(On desktop, however, all you have to do after selecting “Settings” is click on “Mobile.” It’s on the left-hand side under “Notifications.”)
Once you get to either the “Text Messaging” or “Mobile” screen, you’ll see your “Current Phone Numbers” listed at the top. Click or tap “Remove from your account” to disconnect a number from your Facebook account.
If you’re accessing this option on mobile, you’ll need to enter your password again to verify the phone number removal; on desktop, however, you just have to click “Remove Phone” to confirm.
And just in case you’re not wild about the idea of people being able to look you up on Facebook using your phone number, here’s how to tighten up your settings a little.
To Limit Who Can Look You Up On Facebook Using Your Phone Number:
On the main “Settings” page, select “Privacy.” Then scroll down to and select “Who can look you up using the phone number you provided?”
Unfortunately, there isn’t a “No one” or “Just me” option; the most you can limit it to is “Friends.” That’s better than nothing, though — at least you probably know most of your Facebook friends personally — so go ahead and select that if you don’t want just anyone to be able to look you up via your phone number.
I don’t say all this to freak you out or anything, but the prevalence of technology in our lives has also had the effect of making us somewhat complacent; we’re not always as conscious of online security as we should be, and sometimes, the things we think will protect us can actually be a source of serious vulnerability. Remember when journalist Mat Honan’s entire online presence and years’ worth of work and data got completely obliterated back in 2012 because of a weakness in online security? It’s the cautionary tale to end all cautionary tales — and not just for Honan; for everyone involved in the whole thing, as well as, well, all of the rest of us reading about it.
So, y’know, just… be smart about everything. Delete sensitive info you no longer need. Update info when required. And keep track of it all. These common sense online security tips might help.
Good luck out there.
Image: MementoJpeg/Moment/Getty Images