Skip to main content
VentureBeat Homepage
  • Events
  • GamesBeat
  • Data Pipeline
  • Transform 2022
  • Account Settings
  • Log Out
  • Become a Member
  • Sign In

VentureBeat Homepage

VentureBeat

  • AR/VR
  • Big Data
  • Cloud
  • Commerce
  • DataDecisionMakers
  • Dev
  • Enterprise
  • Entrepreneur
  • Marketing
  • Media
  • Mobile
  • Security
  • Social
  • Transportation

Follow

follow us on Twitter follow us on Facebook follow us on LinkedIn Follow us on RSS

The Machine

  • AI
  • Machine Learning
  • Computer Vision
  • Natural Language Processing
  • Robotic Process Automation

Follow

Follow us on RSS

GamesBeat

  • Games
  • Esports
  • PC Gaming

Follow

follow us on Twitter Follow us on RSS

Events

  • Upcoming
  • Media Partner
  • Webinars

General

  • Newsletters
  • Got a news tip?
  • Advertise
  • Press Releases
  • Guest Posts
  • Contribute to DataDecisionMakers
  • Deals
  • Data Pipeline
  • Jobs
  • VB Lab
  • About
  • Contact
  • Privacy Policy

Join the VentureBeat Community

Free: Join the VentureBeat Community for access to 3 premium posts and unlimited videos per month.

Learn More

Sign up with your business e-mail to continue with ticket purchase

Please wait...

Share

  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
  • VentureBeat Homepage
  • Newsletters
  • Events

Facebook logged a user into someone else’s account with a recycled phone number

Anna Hensel@ahhensel
February 7, 2019 9:30 AM
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
A man poses with a magnifier in front of a Facebook logo on display in this illustration.
A man poses with a magnifier in front of a Facebook logo on display in this illustration.
Image Credit: Dado Ruvic/Reuters

Interested in learning what's next for the gaming industry? Join gaming executives to discuss emerging parts of the industry this October at GamesBeat Summit Next. Learn more.


Each year, telecom providers “recycle” millions of phone numbers. If you’ve ever been the owner of a recycled phone number, you’ve likely gotten a phone call or text from creditors, gyms, and other entities for months on end, looking for the last owner of your phone number. But, as more websites ask people to add phone numbers for security and authentication purposes, recycled phone numbers can also put the safety of your online accounts at risk, as one Facebook user found.

Last week, VentureBeat was approached by a Facebook user named Elliott Beck with an alarming problem. Beck said he was trying to log into Facebook on desktop for the first time in nearly a year, to send out wedding invitations. He couldn’t remember his password, so he did what he’s done every time he’s forgotten it: elected to have an account recovery code sent to him via text message. When he entered the code, nothing on his home page looked familiar.

“I had a different picture, and then a message popped up from somebody else that wasn’t anybody I knew, that was written in Spanish,” Beck told VentureBeat. “Then I realized I’m on someone else’s page.”

Immediately, Beck logged out, and was eventually able to guess his password to get back into his own account. But, as he shared in screenshots with VentureBeat, the other account was still listed in the upper right hand corner of his homepage as one he could log into if he had the password — similar to the way that Facebook Page managers can toggle between a Page and a personal account. He reported the issue to Facebook, and after about 30 minutes, the other account was removed from his home page and recent logins.

Event

Transform 2022

Join us at the leading event on applied AI for enterprise business and technology decision makers in-person July 19 and virtually from July 20-28.

Register Here

A Facebook spokesperson told VentureBeat that Beck was logged into the other user’s account because they both had the same phone number associated with their accounts. Facebook said that users do get a notification asking them to remove any out-of-date contact information when another user adds the same phone number to another account. But it appears that in this case, the owner of the other Facebook account never removed their old phone number.

Beck told VentureBeat that he had never received any calls or texts that indicate his phone number was previously owned by someone else. Beck said he got his new phone number around March 2018 and although he’s previously logged into Facebook Messenger using his new phone number, last week was the first time he logged into Facebook on desktop with it.

It’s difficult to say how many users, like Beck, have been able to access someone else’s account for popular services like Facebook because of a recycled phone number. Facebook declined to comment when asked by VentureBeat how often this occurs and to how many people. Several years ago, Ars Technica found that a Lyft user was able to access the owner of his previous phone number’s entire ride history with Lyft, in another high-profile instance of the dangers associated with recycled phone numbers.

Linus Särud, a researcher with Swedish cybersecurity startup Detectify, told VentureBeat in an email that he’s had family and colleagues experience similar issues as the one Beck described. He said that a number of websites deal with the issue of recycled phone numbers the same way Facebook does — asking users to confirm they still own the phone number if the company has reason to suspect they don’t.

“It all comes down to a question about convenience and security. Companies could make you re-verify your phone number each time, but users might think that is too time-consuming,” Särud told VentureBeat. Companies like Facebook are constantly trying to find ways to make it less time-consuming for users to log in securely — an eagle-eyed Twitter user recently noticed, for instance, that Facebook still accepts a password if a “user inadvertently has caps lock enabled,” or “if an extra character was added to the beginning or end of the password.”

Leigh Honeywell, the cofounder of startup Tall Poppy, which helps companies train their employees about how to protect themselves from online harassment, says that she generally steers users away from using phone numbers for account reset or two-factor purposes. As alternatives, Honeywell recommends third-party authenticator apps like Authy or hardware security keys like Yubikey. And, she says, cases like Beck’s are a good reminder for users to immediately disassociate their old phone numbers from any accounts, especially important ones like Gmail, Facebook, Twitter, Instagram, and Dropbox whenever they get a new phone number — even if their number hasn’t been recycled yet.

Beck’s story also presents another problem for Facebook, which has recently been slammed by lawmakers and users for failing to protect user data from firms like Cambridge Analytica, as well as for a bug earlier this year that allowed hackers to steal about 30 million users’ access tokens. Beck said that he initially reached out to VentureBeat because of the “controversy with [Facebook].”

Although Facebook says it can now distinguish between Beck’s account and that of the other user, Beck says he still plans to delete his Facebook account once his wedding invitations are sent. Other Facebook users like Beck may assume the worst when presented with similar account issues.

“When I was a kid I used it [Facebook] all the time, and I put all my personal information in there,” Beck told VentureBeat. “I don’t see much value in it [anymore] beyond being a de facto Yellow Pages,” adding that he’s been meaning to stop using the service for a while.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Author
Anna Hensel
Topics
Business Media Mobile Security Social

Transform 2022

Hear from senior executives at some of the world’s leading enterprises about their experience with applied Data & AI and the strategies they’ve adopted for success.

Register Here

Transform 2022

Join AI and data leaders for insightful talks and exciting networking opportunities in-person July 19 and virtually July 20-28.

Register Now

Join forces with VentureBeat at our upcoming AI & data events

Sponsor VB Events
  • VentureBeat Homepage
  • Follow us on Facebook
  • Follow us on Twitter
  • Follow us on LinkedIn
  • Follow us on RSS
  • VB Lab
  • Newsletters
  • Events
  • Special Issue
  • Product Comparisons
  • Jobs
  • About
  • Contact
  • Careers
  • Privacy Policy
  • Terms of Service

© 2022 VentureBeat. All rights reserved.

×

We may collect cookies and other personal information from your interaction with our website. For more information on the categories of personal information we collect and the purposes we use them for, please view our Notice at Collection.