A software engineer has exploited a loophole in Facebook's privacy settings to gather data from thousands of users by randomly generating mobile phone numbers.
Reza Moaiandin, technical director at Leeds-based SEO firm Salt.agency, used Facebook's Who Can Find Me? setting to obtain names, locations and profile pictures of users who had linked their mobile number to their profile.
"Every time it goes through one number, it calls Facebook's API [application program interface], which is pretty much open and gathers IDs associated with each telephone number," Moaiandin told the Guardian.
"The point is, when I'm trying to get these details, I shouldn't be able to sniff into it and look into it. Facebook should pre-encrypt it so I can't get that ID and I can't get those personal details."
The Who Can Find Me? setting is set to Public/ Everyone by default and security experts have warned that hackers could exploit this to create large databases of Facebook users for sale on the dark web.
It could also be used to find the mobile number and location of politicians, celebrities and other public figures that have linked it to their account.
Moaiandin compared it to "walking into a bank, asking for a few thousand customer's personal information based on their account number, and the bank telling you: ' Here are their customer details.'"
Facebook has said that it does not consider it a security vulnerability and did not reward Moaiandin when he submitted it earlier this year through the social network's bug bounty scheme.
"The privacy of people who use Facebook is extremely important to us," Facebook said in a statement. "We have industry leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products.
"Developers are only able to access information that people have chosen to make public. Everyone who uses Facebook has control of the information they share, this includes the information people include within their profile, and who can see this information."