Techcrunch reported this week that an app developer had downloaded thousands of phone numbers from active Facebook accounts. This technique has been around for a while and Cloudmark has seen it used by spammers to harvest email addresses and phone numbers, and to make both email and SMS spam more personal and more convincing.
The problem may arise because there are two separate settings that protect a Facebook user’s phone number. One setting controls who can view the user’s phone number when Friends or the Public view the profile, the other setting controls who can search for the profile via the user’s phone number.
As a Facebook user, you may have set your phone number to only be visible to your friends, but you may not have changed your “Who can look me up?” settings. If that’s the case, then if someone, such as a spammer or data harvester, entered your phone numer in the Facebook search box, then the spammer could still be taken to your profile page. If the spammer is shown your profile page, then the spammer can view your Facebook user name and your friends list. By searching for random phone numbers, or email addresses collected elsewhere, a spammer can harvest genuine ones from Facebook. This can then be used for SMS messages that address the recipient by their first name
heyy David! You look sexy in your facebook pic ^.^ You should look me up on Y.ah.oo so we can get naughty haha. My id is: [redacted]
or a spam email that appears to come from one of the Facebook user’s friends (but was actually from an email address that had nothing to do with their friends).
If you have received a personalized SMS spam message, or spam email to you apparently from a Facebook friend, it’s possible that your phone number or email are visible in Facebook search.
To prevent this, go to the Privacy Settings in Facebook
and make sure that the “Who can look me up?” line is set to “Friends”.
Note that this is a different setting than the setting in which you decide who can view your phone number on your profile. The setting for who can view your phone number is set when you edit your profile:
Since we first saw this issue, Facebook has made significant progress in dealing with it, both by making email and phone number privacy more transparent, and by putting in safeguards against data mining such as rate limiting and IP blacklists.