WTF?! Gizmodo reported on Wednesday that it appears Facebook is using "shadow information" to target advertising to its users. Today Facebook confirmed that it does indeed use 2FA numbers to target ads to users. Don't worry though, you can opt out by not using 2FA.

A couple of days ago Gizmodo participated in an experiment with a security researcher to see if it could target an ad to him using his phone number, and it worked. Alan Mislove had a theory that Facebook was using "shadow information" to target ads. Shadow information would be any data that is supposed to be held private between you and Facebook, like your two-factor authentication (2FA) phone number.

This is not to say that Facebook is giving the phone numbers out, but instead, it receives lists from advertisers and matches them up to contact information it already has on file to target the ads. Mislove's theory was that the company was not only using contact info in profiles, but also private security information, and the experiment seemed to prove it.

"We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts."

Indeed, TechCrunch confirmed on Friday that Facebook does, in fact, target ads to users' 2FA numbers. A Facebook spokesperson indirectly admitted that the social media platform does this. When asked if they used 2FA numbers for targeted advertising, the representative said the following:

"We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you've uploaded at any time."

The spokesperson also indicated that the only way to opt out of this type of targeting is not to use 2FA on Facebook.

It is one thing to advertise using information willingly entered into public profiles for advertising. It is something users agree to when signing up for the service. However, targeting ads to numbers provided solely for security purposes seems a bit low even for Facebook's standards.

It is highly unlikely that this practice will continue now that it has been exposed. The backlash from the security community and users is bound to be loud. So I won't be surprised when Facebook announces that they have changed this practice.