Facebook has come under fire after users discovered the phone numbers the social media giant urged them to provide as a safety precaution for two-factor authentication can actually lead anyone—even those without a Facebook account—back to their profiles, TechCrunch reports. Even if a user changes their privacy settings so that only “friends” or “friends of friends” can look up their profile, the company’s default settings reportedly automatically allow everyone on the Internet to find the profile using the phone number. And there is reportedly no way to opt out. Security expert Zeynep Tufekci was among those to call out the social media giant for the move. “Using security to further weaken privacy is a lousy move—especially since phone numbers can be hijacked to weaken security. Putting people at risk,” he tweeted over the weekend. Facebook spokesperson Jay Nancarrow told TechCrunch the settings “are not new” and that they apply to “any phone numbers you added to your profile.” As Gizmodo first reported last year, the phone numbers users provide for two-factor authentication are also readily available to advertisers.