Facebook Can Target Your Phone Number for Ads. And You Might Not Be Able to Stop Them

Advertisers have long been able to target their marketing on Facebook using lists of phone numbers, and they can obtain those numbers from legitimate business interactions with existing customers or by leasing or purchasing lists of numbers from data brokers. (That’s one reason why stores ask for your number when you make a purchase.)

On Wednesday, Facebook admitted phone numbers provided to the social network for extra security purposes on user accounts—often referred to as two-factor authentication (2FA)—may be used to target advertising to those people, even if that phone number wasn’t previously disclosed to the company in another way.

In addition, Facebook can also target ads to a user if their phone number only exists in a friend’s uploaded contact list. Gizmodo described this method of using undisclosed phone numbers in its story revealing the practice as “shadow contact information.” Facebook doesn’t offer a setting for opting out or blocking the use of your number if it appears in someone else’s uploaded contact list. Fortune asked Facebook whether another privacy or ad settings would include this and hasn’t immediately received a reply.

But you can prevent the “shadow” use of your number—so long as you’re willing to stop using your phone number for 2FA.

“We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts,” a Facebook representative told TechCrunch on Thursday. “You can manage and delete the contact information you’ve uploaded at any time.”

With 2FA, Facebook and many other companies make the entry of a password just the first step in a login. After successfully entering an account name and password, you receive or generate a “second factor,” a short code that’s bound to the same account. Only the person who set up 2FA and has access to the account can receive or generate this code.

A second factor proves that you don’t only “know” something (the password), but also “have” something (a phone or an app registered to the account). That physical component deters account cracking even if passwords get disclosed, guessed, or broken.

These second-factor codes, often six digits long, can arrive in different ways. The method varies by service. A code may be sent as a text message to a phone number or generated by an authentication app that has a secret initially provided by the service. Some companies also let you verify a login elsewhere within an installed smartphone app. Apple, meanwhile, has a proprietary approach across its computers and mobile devices as well as using text and voice messages. Using phone numbers and text messages is a preferred method of 2FA for most users because of its convenience.

Facebook always required a phone number as a second factor, even as it added app-based verification. A few months ago, it lifted the phone-number requirement.

To alter your Facebook 2FA settings, select the downward-pointing triangle at the top-right of any Facebook page, choose Settings, then Security and Login, and finally Two-Factor Authentication. If you’ve assigned a phone number, click or tap Remove Number, and then confirm with Remove. Facebook said this will disable its ability to market to your phone number (unless one of your contacts has your number in their address book, which they likely do).