Facebook logged a user into someone else’s account with a recycled phone number

Each year, telecom providers “recycle” millions of phone numbers. If you’ve ever been the owner of a recycled phone number, you’ve likely gotten a phone call or text from creditors, gyms, and other entities for months on end, looking for the last owner of your phone number. But, as more websites ask people to add phone numbers for security and authentication purposes, recycled phone numbers can also put the safety of your online accounts at risk, as one Facebook user found.

Last week, VentureBeat was approached by a Facebook user named Elliott Beck with an alarming problem. Beck said he was trying to log into Facebook on desktop for the first time in nearly a year, to send out wedding invitations. He couldn’t remember his password, so he did what he’s done every time he’s forgotten it: elected to have an account recovery code sent to him via text message. When he entered the code, nothing on his home page looked familiar.

“I had a different picture, and then a message popped up from somebody else that wasn’t anybody I knew, that was written in Spanish,” Beck told VentureBeat. “Then I realized I’m on someone else’s page.”

Immediately, Beck logged out, and was eventually able to guess his password to get back into his own account. But, as he shared in screenshots with VentureBeat, the other account was still listed in the upper right hand corner of his homepage as one he could log into if he had the password — similar to the way that Facebook Page managers can toggle between a Page and a personal account. He reported the issue to Facebook, and after about 30 minutes, the other account was removed from his home page and recent logins.

A Facebook spokesperson told VentureBeat that Beck was logged into the other user’s account because they both had the same phone number associated with their accounts. Facebook said that users do get a notification asking them to remove any out-of-date contact information when another user adds the same phone number to another account. But it appears that in this case, the owner of the other Facebook account never removed their old phone number.

Beck told VentureBeat that he had never received any calls or texts that indicate his phone number was previously owned by someone else. Beck said he got his new phone number around March 2018 and although he’s previously logged into Facebook Messenger using his new phone number, last week was the first time he logged into Facebook on desktop with it.

It’s difficult to say how many users, like Beck, have been able to access someone else’s account for popular services like Facebook because of a recycled phone number. Facebook declined to comment when asked by VentureBeat how often this occurs and to how many people. Several years ago, Ars Technica found that a Lyft user was able to access the owner of his previous phone number’s entire ride history with Lyft, in another high-profile instance of the dangers associated with recycled phone numbers.

Linus Särud, a researcher with Swedish cybersecurity startup Detectify, told VentureBeat in an email that he’s had family and colleagues experience similar issues as the one Beck described. He said that a number of websites deal with the issue of recycled phone numbers the same way Facebook does — asking users to confirm they still own the phone number if the company has reason to suspect they don’t.

“It all comes down to a question about convenience and security. Companies could make you re-verify your phone number each time, but users might think that is too time-consuming,” Särud told VentureBeat. Companies like Facebook are constantly trying to find ways to make it less time-consuming for users to log in securely — an eagle-eyed Twitter user recently noticed, for instance, that Facebook still accepts a password if a “user inadvertently has caps lock enabled,” or “if an extra character was added to the beginning or end of the password.”

Leigh Honeywell, the cofounder of startup Tall Poppy, which helps companies train their employees about how to protect themselves from online harassment, says that she generally steers users away from using phone numbers for account reset or two-factor purposes. As alternatives, Honeywell recommends third-party authenticator apps like Authy or hardware security keys like Yubikey. And, she says, cases like Beck’s are a good reminder for users to immediately disassociate their old phone numbers from any accounts, especially important ones like Gmail, Facebook, Twitter, Instagram, and Dropbox whenever they get a new phone number — even if their number hasn’t been recycled yet.

Beck’s story also presents another problem for Facebook, which has recently been slammed by lawmakers and users for failing to protect user data from firms like Cambridge Analytica, as well as for a bug earlier this year that allowed hackers to steal about 30 million users’ access tokens. Beck said that he initially reached out to VentureBeat because of the “controversy with [Facebook].”

Although Facebook says it can now distinguish between Beck’s account and that of the other user, Beck says he still plans to delete his Facebook account once his wedding invitations are sent. Other Facebook users like Beck may assume the worst when presented with similar account issues.

“When I was a kid I used it [Facebook] all the time, and I put all my personal information in there,” Beck told VentureBeat. “I don’t see much value in it [anymore] beyond being a de facto Yellow Pages,” adding that he’s been meaning to stop using the service for a while.