Meta has acknowledged that phone number reuse that allows takeovers of its accounts “is a concern,” but the ad biz insists the issue doesn’t qualify for its bug bounty program and is a matter for telecom companies to sort out.
The core problem is that telecom companies recycle phone numbers that have been abandoned after a brief waiting period – at least 45 days in the US. That can become a problem because many online services require a phone number to identify users and/or send one-time passwords for two-factor authentication. Users who abandon a number, and forget to update their new number, are therefore at risk of malicious account reset attempts by whoever gets access to their old numbers. Account takeovers are a common consequence.