The attack is possible because Facebook doesn't limit the number of phone number searches that can be performed by a user via the mobile version of its website, Suriya Prakash, an independent security researcher said Friday in .

Facebook allows users to associate their phone numbers with their accounts. If fact, a mobile phone number is required to verify any new Facebook account and unlock features like video uploading or timeline URL personalization.

When adding phone numbers in the "Contact info" section of their respective Facebook profile pages, users can choose if they want to make this information visible to the general public, only to their friends or if they want to keep it to themselves, which is a good privacy option.

Facebook also allows users to find other people on the website by searching for those people's phone numbers in international format.

Users can control who can locate them using this method through an option under "Privacy Settings" > "How You Connect" > "Who can look you up using the email address or phone number you provided?" which is set by default to "Everyone."