When we publicly demanded that Facebook stop messing with users’ phone numbers last week, we weren’t expecting the social network to double down quite like this: By default, anyone can use the phone number that a user provides for two-factor authentication (2FA) to find that user’s profile. For people who need 2FA to protect their account and stay safe, Facebook is forcing them into unnecessarily choosing between security and privacy.

While settings are available to choose whether “everyone,” “friends of friends,” or “friends” can use your phone number this way, there is no way to opt out completely.

The problems with Facebook’s phone number look-up feature are not entirely new. Facebook even promised to disable the functionality last April in the wake of the Cambridge Analytica scandal. Now, others can no longer enter your phone number directly into the Facebook search bar to find your profile. Instead, they can still use your phone number “in other ways, such as when someone uploads your contact info to Facebook from their mobile phone,” a Facebook spokesperson told USA Today. Those "other ways" are what the settings shown above control. But whether they have to type it into Facebook’s search bar or into their phone contacts, the result is the same: others can use your phone number to find your Facebook profile.

Now, since Facebook started requiring page administrators to enable 2FA last summer, it’s safe to assume that more people have started using the security feature and noticing how Facebook mismanages it. (Although Facebook stopped requiring phone numbers for 2FA enrollment last May, phone number-based 2FA can still be the most usable option for many people.)

In response to a tweet from a Page administrator pointing out this critical problem, Facebook has been forced to respond to user concerns and media reports. Facebook’s response has been less than reassuring. TechCrunch reports:

When asked specifically if Facebook will allow users to users to opt-out of the setting, Facebook said it won’t comment on future plans. And, asked why it was set to “everyone” by default, Facebook said the feature makes it easier to find people you know but aren’t yet friends with.

Last year, Gizmodo and researchers from Northeastern University and Princeton University revealed that the company was using 2FA phone numbers—and even worse, “shadow” contact information that users never directly gave the company—for targeted advertising.

Now, the scope of Facebook’s phone number problem seems even wider. In defiance of user expectations and security best practices, it is exposing users’ 2FA phone numbers not only to advertisers but also to, well, anyone. Facebook must fix this before more people are put at risk. It should never have made phone numbers that were provided for security searchable by everyone in the first place.

