(Credit: 4zevar/Shutterstock)

Unless you've been living in a cave, you've probably heard a lot over the past year about Facebook's difficulties with properly securing the personal data that you share with it. In fact, along the way, we've discovered how much Facebook can figure out about you, without you ever directly giving it any information about yourself.

From social sharing buttons that track the websites you visit, to "shadow profiles" that use data from Facebook members in your social circle to fill in the blanks on your behalf, the company's consumption and marketing of your personal details continues apace.

And according to a new report from TechCrunch, even the contact info that you give Facebook to securely log in can be used to find you on the social network -- and the company currently doesn't allow you to disable this searchability.

SEE: How app-based two-factor authentication can protect you from your terrible passwords

The issue is related to the two-factor authentication (2FA) that Facebook has been aggressively promoting for months. With this system, Facebook sends you a temporary code to confirm your identity, and it expires after about 30 seconds. In theory, since this code can only appear on the phone associated with your account, it prevents hackers from getting in even when they have (or can guess) your password.

The default setup for Facebook's 2FA asks for your phone number -- yet this same number can apparently be searched for on the social network to find your profile page. From there, a person can see whatever else is publicly viewable on that page, like where you live, who your friends and family are, and your opinions on anything that you've talked about on Facebook in the past.

Thankfully, phone numbers aren't the only way to use two-factor authentication. In fact, they're the inferior way to go about it, and not just because of Facebook's latest privacy lapse. With 2FA based on a phone number, the SMS text messages that contain your login code can be intercepted by the bad guys, or they can just fail to arrive if your connection is spotty.

The much better method is to use an app like the Google Authenticator, which generates these special codes right on your phone instead. This helps to make the code more private and more accessible to you. And luckily for you, we have a whole guide on how to do that. It takes a little more setup than SMS-based 2FA, but we think it's worth the extra peace of mind.

FOLLOW Download.com on Twitter for all the latest app news.

How to change your Facebook login security settings

To change your Facebook login security settings, log in and go to your account's 2FA setup page. Click the "Get Started" button, select Authentication App on the right, click Next, open Google Authenticator (if you've chosen that for your 2FA), tap the red "+" button in the bottom right, and then "Scan a barcode." Then use your phone camera's viewfinder to view the QR code.

Putting the QR code in front of your phone's camera will automatically sync the app's code generation with Facebook's user authentication system, but you're not quite done yet. To confirm with Facebook that you're properly syncing, click Next, enter the 2FA code that your app is showing you, and then click the Next button one last time to complete the process.


  • Facebook defaults to using your phone number to set up two-factor authentication, and TechCrunch reports that this phone number can be used to find you on the social network. There is no setting to disable this visibility.
  • However, you can switch to using app-based authentication, which is more secure and reliable than SMS text messages anyway.

Read more

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.