Just because you mark some of your Facebook data as private doesn’t mean that you’re hard to track down. Software engineer Reza Moaiandin has learned that it’s possible to scoop up the public details of legions of Facebook users simply by guessing phone numbers with a random number generator. You see, the social network defaults to letting anyone search for you using your phone number, even if it’s unlisted — as there’s no search limit, all it takes is a script to harvest the user IDs for thousands of people. As you can imagine, there’s a real worry that this will not only let black market dealers and hackers collect targets en masse, but help them get numbers to use for phone-oriented attacks and spying.
With that said, this loophole doesn’t necessarily mean that you’re at immediate risk. Facebook tells The Guardian that it has “network monitoring tools” running to watch for suspicious data activity, and its developer kit rules limit just how (and how often) apps can scrape information. The company could theoretically cut off access to an app if it grabs too many profiles too quickly. The concern is that Facebook isn’t explicitly tackling this problem by instituting firm caps on data collection. Even if it’s not possible to circumvent the developer rules, nosy intruders might get lots of information before Facebook cuts them off.