Facebook has got itself into hot water again, this time in response to concerns over handing user phone numbers over to advertisers. On Thursday, Facebook confirmed that phone numbers used to verify two-factor authentication become targetable by advertisers within weeks of use.

As a free platform, Facebook earns most of its money through advertising. Any information that a user posts to their Facebook profile can be used for targeted advertising within the site itself or sold (anonymously) as a commodity to interested parties. Taking this a step further, Facebook has now admitted that this policy also extends to phone numbers used solely for two-factor authentication.

Two-factor authentication (2FA) is a security measure offered by most websites that requires users to login to a service. The purpose of 2FA is used to confirm a user’s identity, usually through an encryption code sent to the user’s phone. The strength of 2FA is that it is very difficult for a potential hacker to both discover a user’s password and gain control of their phone. While this has become a common and trusted procedure, Facebook has twisted that trust by serving up the private numbers to advertisers the same as if it were publicly shared.

An inquiry from TechCrunch led to the admittance of the questionable practice:

“We asked Facebook to confirm this is indeed what it’s doing… And it sent us a statement confirming that it repurposes digits handed to it by people wanting to secure their accounts to target them with marketing.

Here’s the statement, attributed to a Facebook spokesperson: “We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”

A spokesman also told us that users can opt out of this ad-based repurposing of their security digits by not using phone number based 2FA.”

The sad reality of this response is that Facebook has taken the position that the only way to avoid giving up your private phone number is to leave your Facebook page vulnerable to hack attempts. Or basically, sacrifice privacy for security. Given how common online data breaches have become and how easy it is to circumvent login systems it also begs the question of how secure Facebooks own 2FA really is if they are willing to share this information with advertisers.

All of this just reinforces the fact that users should be extra cautious with any information they post or share on Facebook. If you would not be comfortable with the information being shared in a crowded restaurant, it has no place on social media.