Facebook has been labelled “deceptive” by a campaign group for the way it handles information people use to make their account more secure.
Many people use their phone as a second identity check when logging into their account.
Investigations have shown this data is being used to customise adverts users see on Facebook.
In the past, Facebook said the adverts were caused by software errors. Now it says they help “personalise” the site.
Details about the targeted ad campaigns emerged from research by academics at Northeastern University and Princeton University in the US. Reporters for tech news site Gizmodo also helped to stage tests which showed the data was being used to drive advertising.
The Electronic Frontier Foundation (EFF), which campaigns on digital rights, said people “explicitly” handed over the contact information to improve security and did not expect to see it used for marketing.
In some cases, said the EFF in a blog, Facebook got hold of phone numbers and other personal details even when they were not directly shared with the social network. Some of this information, called shadow profiles, was gathered on people who do not use the site at all.
The EFF was critical of Facebook and said the social network’s ad-generating practices were “deceptive and invasive” and ignored “reasonable security and privacy expectations”.
Writing on news site TechCrunch, Natasha Lomas said Facebook had been quizzed earlier in the year about why adverts were reaching people who had used their phone number as an identity guarantee.
At the time, said Ms Lomas, Facebook explained that the adverts were prompted by a bug in the site’s code.
In addition, she wrote, Facebook boss Mark Zuckerberg said it only gathered shadow profile data for “security purposes”.
In a statement, Facebook told the BBC: “We use the information people provide to offer a better, more personalised experience on Facebook, including ads.
“We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts.”
It said it made it clear that phone numbers could be used to drive adverts people would see on Facebook.
It added that Facebook users could “manage and delete” contact information they have shared at any time. However, other commentators pointed out that this might involve changing how people verify who they are.