Meta has identified the practice of recycling phone numbers by telecom companies as a potential risk for account takeovers on Facebook and Instagram. The issue arises when these recycled numbers, previously linked to various online accounts, are reassigned to new users. This reassignment can potentially grant unauthorized access to accounts that still have the old number registered for two-factor authentication or recovery processes.
Despite acknowledging the risk, Meta has stated that resolving this issue falls under the purview of telecom operators, not within its own domain of responsibilities. The company has made it clear that this particular problem does not qualify for its bug bounty program, emphasizing that the control of number allocation and reissue lies solely with telecom providers.
Research Highlights Persistent Vulnerability
Princeton University researchers previously highlighted the severity of this issue in 2021, revealing that a significant portion of sampled phone numbers were still linked to active accounts on various popular websites. This situation potentially facilitates unauthorized access and account takeovers. Telecom companies, aware of these risks, have attempted to address the problem by advising customers to update their contact information across online services when changing their numbers. Despite these measures, the problem persists, posing ongoing risks to digital security and privacy.
Legal and Regulatory Implications
The concern over recycled phone numbers has prompted action from privacy consultants and activists. Alexander Hanff, a notable figure in digital privacy advocacy, has reported Meta to the Irish Data Protection Commission, citing potential violations of the General Data Protection Regulation (GDPR). These regulations mandate the responsible handling of personal data, including proactive measures to mitigate known security risks. Hanff's report underscores the necessity for companies to address foreseeable vulnerabilities, rather than shifting responsibility onto other parties or users.
Conclusion: A Call for Collaborative Solutions
As the debate over the responsibility for preventing account takeovers linked to phone number recycling continues, it becomes increasingly clear that a collaborative approach may be required. Telecom companies, tech giants, and regulatory bodies must work together to develop and implement comprehensive strategies to protect users from this significant security loophole. The resolution of this issue is crucial in maintaining the trust and safety of digital environments for users worldwide.
