Short version: Facebook will show you a list of people who have your number in their phone.

Try it: [Update: This doesn’t seem to be happening for everybody. It seems a fake sounding name like Blah blah may be the key to triggering the security check.] Create a new Facebook account using an unused email address.  Facebook will insist you add a mobile number as a security check.  It will then show you a list of ‘people you might know’ - this list is people who have you in their phonebook.

Ironically, I was deleting my Facebook account over privacy concerns when I discovered this breach. I decided to deactivate my account, but I have a few Facebook apps that I need to maintain - so I created a new blank account ready to take over these apps.

I used a different email address obviously, and once I’d created the account, Facebook demanded to confirm my account (for security reasons) by sending an SMS to my mobile. Fine - I put in my number, received the code and entered it.

Here’s what came up next:

This list contains eight names.  Some I instantly recognised, and others I had to do some research to identify.  At first I was baffled - I guessed maybe Facebook had copied something across from my previous account via a cookie or similar.  But it turns out that FB used my mobile number (which they took as a security check) to match up with people who have me in their mobile phone book and have synced the Facebook app.

I fully understand why they’re doing this - it connects new users into existing networks, it’s an evolution of the ‘import your Hotmail contacts’ facility.  I just didn’t like the approach at all.  They demanded my mobile number under the pretence of a security check, but then used to it find people who have me in their mobile phone contacts.

A little deeper thought: These little privacy leaks are not important on their own. A little data leaks here, a little there.  What is concerning is that we can guarantee private investigators and professional identity fraudsters are well on top of all these little loopholes. And combined, I’d say Facebook is probably pissing data out.  Some wet-dream potential for law enforcement here - slap in a request to Facebook on a drug-dealing suspect, find a list of everyone with his number in their phone. Repeat until prisons full.