Find facebook id from phone number

Don’t have the time to read the entire article? Go to the FAQ section below for everything you should know.

Update: someone pointed out that PayPal actually reveals the last four digits of the phone numbers, so this technique may work for large countries as well if the target has its phone linked to its PayPal account.

Verifying one of the phone numbers I discovered

Last month, I discovered it is relatively simple to reveal private phone numbers on Facebook, uncovering some phone numbers of Belgian celebs and politicians. Even though this trick only seems to work in small countries such as Belgium (+/- 11.2 million people), a significant number of people is affected by this simple, yet effective privacy leak.

When I notified the fine folks of the Facebook Security team with my concerns, I got an answer I didn’t quite expect:

Not an issue, according to Facebook

When the “who can look me up by phone” setting is set to public, your phone number is public.

There are a few issues with this:

• The setting is set to public by default
• It’s confusing: even though your phone number on your profile is set to ‘only me’, the ‘who can look me up’-setting overrules this. While people think their phone number is private, it’s not:

This setting only indicates whether the phone number is visible on your profile. It does not indicate whether your phone number is public.

If this setting is set to ‘Everyone’, which is the default value, your phone number is considered public.

‘Who can look me up’ also implies the person ‘looking you up’ already has your phone number. It implies that someone if looking for your specific Facebook profile based on your phone number, and not the other way around.

• There is simply no only me setting

If you link your phone number to Facebook and want to lock down your privacy settings, you can not prevent your ‘friends’ will still have access

Despite sharing my concerns with the security team, they decided not to fix the issue. Even though I do not agree I respect their decision. I did decide the write about it nonetheless — I think people have the right to know.

• Many people don’t even know Facebook has their phone number. While Facebook can not just extract your phone number from your phone, it will repeatedly ask you to confirm and save your number upon launching Facebook for mobile. After a colleague deleted his phone number following my findings, Facebook immediately asked him to re-enter it:

Click the button to share your phone number with the world again

How it works

My technique uses the graph search. Most people knows that you can enter a phone number in the Graph Search to get the corresponding user:

Verifying a Belgian celeb’s phone number I found using my technique

Simply testing every number is an impossible job that would take months. Facebook also has some strong rate limiting in place that will temporarily block additional requests after +/- 1000 lookups. Sure, you could use a botnet with valid Facebook accounts, but I’m sure Facebook has some restrictions to tackle these, too.