(Credit: Yosep26/Shutterstock)

As we've been slowly learning since Facebook's Cambridge Analytica scandal, the social network effectively has two different profile pages for its users. One is the public version where you control what information the social network knows about you. The other one is a "shadow profile," and its job is to collect information about you from other sources, such as the contacts list on the phone of a different Facebook user.

Shadow profiles are kept secret, by the way; users have no control over or access to their contents.

SEE: How to update your security and privacy settings on Facebook

We know how this works because of a new wave of reporting and academic research, such as this latest story from Gizmodo. In it, senior reporter Kashmir Hill describes a test where she targeted an ad at a specific user (who had been made aware of the test) using nothing more than an unlisted phone number -- one that this user had never given to the social network.

However, the user had shared this number with others, and those others use Facebook (Android, iOS), and his unlisted number is in the contact lists on the devices that the others use to connect to the social network. Through this digital chain of custody, Facebook is able to present an ad to a user based on information that the user did not directly provide.

It gets worse. Have you ever used a phone number to set up two-factor authentication (2FA) on Facebook? After all, security experts have been telling people to do that kind of thing for years. It helps to protect people against their own junky passwords by asking for a temporary code that's only visible on your device.

However, Hill identifies a report from Northeastern University indicating that this phone number gets dropped into that shadow profile too.

FOLLOW Download.com on Twitter for all the latest app news.

Thankfully, the social network now offers app-based 2FA for apps like Google Authenticator (Android, iOS), which is safer anyway because its access codes are generated on your device, rather than using the old SMS text message method. Such messages can be intercepted, or they can simply fail to arrive due to bad cell reception. But Facebook has not yet removed the SMS-based option. (And either way, good luck getting Facebook Messenger to work without a phone number.)

Shadow profiles are particularly troubling when you consider how much hot water Facebook is already in over the privacy of its users' data; the company's been under the microscope about this issue for far longer than any other controversy in its 14-year history, to the point of appearing before the U.S. Senate for televised public hearings on what happened in Cambridge and what the company plans to do to restore the public's trust.

It appears to be off to a slow start. But with millenials and teens continuing to migrate away from Facebook, or not signing up at all (a notion that would have sounded ridiculous ten years ago), this publicly traded company may be under a lot of pressure to keep its financials looking good.

And one way to do that is to seek out new ways to advertise to its users -- perhaps at a cost that it cannot ultimately afford.

The takeaways

  • Researchers at Northwestern University report that Facebook may be targeting users with ads based on the phone numbers they've provided to Facebook to set up two-factor authentication (2FA).
  • Facebook promotes 2FA as a way to protect your account from unauthorized access. It does not clearly disclose that this phone number may be used to deliver targeted ads.

Also see

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.