Security News > 2024 > February > Meta says risk of account theft after phone number recycling isn't its problem to solve

Meta says risk of account theft after phone number recycling isn't its problem to solve
2024-02-13 08:27

Meta has acknowledged that phone number reuse that allows takeovers of its accounts "Is a concern," but the ad biz insists the issue doesn't qualify for its bug bounty program and is a matter for telecom companies to sort out.

Users who abandon a number, and forget to update their new number, are therefore at risk of malicious account reset attempts by whoever gets access to their old numbers.

Privacy consultant Alexander Hanff, an occasional contributor to The Register, noted a social media post in which a Reddit user describes gaining access to a "Random girl's" account by using a newly provisioned mobile phone number to login to Meta's Instagram service.

If, for example, a Facebook user changes phone numbers but fails to note that change in Facebook or other accounts that use it for authentication, the recipient of the old, recycled number can try to login to the Facebook account still linked to that number.

If that number is still associated with the user's Facebook account, the person who now has that number could then take over the account.

Facebook doesn't have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.


News URL

https://go.theregister.com/feed/www.theregister.com/2024/02/13/meta_phone_security_number_recycling/