Facebook on Thursday confirmed that advertisers were privy to phone numbers given by members of the social network for enhanced security.
A study by two US universities, first reported by news website Gizmodo, found that phone numbers given to Facebook for two-factor authentication were also used to target advertising.
Two-factor authentication is intended to enhance security by requiring a second step, such as entering codes sent via text messages, as well as passwords to get into accounts.
Phone numbers added to profiles, for security purposes, or for messaging were potential fodder for advertisers, according to the study.
"These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings," researchers said in the study, which looked at ways advertisers can get personally identifying information (PII) from Facebook or its WhatsApp and Messenger services.
Contact lists uploaded to Facebook platforms could be mined for personal information, meaning that people could unintentionally help advertisers target their friends.
"Most worrisome, we found that phone numbers uploaded as part of syncing contacts -- that were never owned by a user and never listed on their account - were in fact used to enable PII-based advertising," researchers said in the study.
The study supported concerns that Facebook uses "shadow" sources of data not given to the social network for the purpose of sharing to make money on advertising.
"We use the information people provide to offer a better, more personalized experience on Facebook, including ads," a spokeswoman said in response to an AFP inquiry about the study findings.
"We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts."
Facebook is grappling with the worst crisis in its history, vilified for not more zealously guarding the information that users share.
The Silicon Valley-based internet colossus faced intense global scrutiny over the mass harvesting of personal data by Cambridge Analytica, a British political consultancy that worked for Donald Trump's 2016 election campaign.
The company has admitted up to 87 million users may have had their data hijacked in the scandal.