Facebook tells users that giving the company their mobile phone number will help keep their account secure. Until a few weeks ago, however, the social network’s self-service ad-targeting tools could be massaged into revealing a Facebook user’s cellphone number from their email address. The same flaw made it possible to collect phone numbers for Facebook users who had visited a particular webpage.

Facebook fixed the problems on Dec. 22, and paid a “bug bounty” of $5,000 to the team of academic researchers from the US, France, and Germany who had reported the problem at the end of May.

The potential to access users’ phone numbers was a clear breach of Facebook’s data-use policy. It states: “We do not share information that personally identifies you … with advertising, measurement or analytics partners unless you give us permission.”

Facebook says it has no evidence anyone took advantage of the flaw to obtain user phone numbers. It wasn't easy to exploit. But the incident illustrates a tricky trade-off at the heart of the company’s business model, says Neil Gong, a professor at Iowa State who works on social-network privacy and wasn’t involved in the research.

Software flaws are not uncommon in technology. For Facebook, however, the hazards of accidental slip-ups are magnified by its need to both convince consumers to entrust their personal data, and simultaneously provide advertisers ways to leverage that same data.

That creates different risks to those of more conventional data-hoarding companies, such as credit bureaus. While those companies typically work with select corporate clients, anyone can sign up to run ads on Facebook and tap the abundant data from its users.

“There have been data brokers for years but typically to get access to that data you had to sign a contract with them,” says Alan Mislove, a professor at Northeastern who worked on the project that exposed the problem. “Facebook and Google are de facto data brokers—they don’t sell data but they are making that data available in indirect ways to a wide range of people.”

Mislove worked with others from French research institutions EURECOM and University of Grenoble Alpes, and the Max Planck Institute for Software Systems in Germany. The group will present its findings at a security conference in May.

The researchers exploited one of Facebook’s self-serve ad-targeting products called Custom Audiences. It allows advertisers to upload lists of anonymized customer data such as email addresses and phone numbers, and then target ads to Facebook users the company can find using that data. Facebook tells advertisers how many of its users will see an ad targeted to such a list. If you create multiple target lists, it reports how much they overlap.

Until Facebook altered the system in December, that feedback on audience size and overlap could be exploited to reveal data about Facebook users. The trick involved taking advantage of the way Facebook rounded those figures to obscure the exact numbers of users in different audiences.

In one demonstration, the researchers got Facebook to reveal the cellphone numbers of 19 volunteers from the Boston area and France, who provided the email addresses associated with their Facebook accounts.

The first step involved using Facebook’s ad tools to generate a series of ad-targeting lists covering all 2 million possible Boston area cellphone numbers, and the 20 million numbers in France. The researchers then used Facebook’s tools to repeatedly compare those audience lists against others generated using the targets’ emails. Watching for changes to the estimated audience figures that occurred when an email address matched a phone number could reveal users’ numbers one digit at a time. This attack appeared to apply to all Facebook users with a phone number associated with their account.