In addition to JJzD:
Nowadays, it no longer ends up on your (public) profile, but that doesn’t mean Facebook doesn’t use it. As is the case in This article Readable (a few years ago now), a phone number (in the user’s eyes) that is only issued to secure their account, that advertisers can use for targeting. This is done by your “shadow profile” which consists of all the data that you did not enter directly to share, but Facebook knows about you. Including your 2FA phone number.
However, Facebook contains not only your phone number, but also the number of many other users and even entire phonebooks uploaded in the past. (See also article above).
Consider the following scenario: You have a Facebook account, but you keep work and private separate, so you don’t have your Facebook colleagues. At some point you decided that you wanted to better protect your Facebook account by 2FA and decided to use your phone number for this. You are doing this for security reasons. However, what you don’t know is that one of your colleagues at the time, in Messenger, for example, clicked all over the place “OK, that’s fine, go ahead” and actually handed his entire phone book over to Facebook, which also contains your number. Suddenly, Facebook now knows that your work area may have something to do with X (by this colleague) or that you likely have a greater affinity with it.
Facebook doesn’t care that you have a phone number. What matters to them is that it’s a very strong individual identifier (061 is often associated with a single person) which often indicates a stronger connection between people than both, for example, like the same page.
In a similar way, the Apple OCSP (Online Certificate Status Protocol) controversy has subsided. Apps on macOS are signed with a certificate that is validated on Apple servers when opened. They will receive data from any application and your IP address. (Everything is more accurate I know, see: https://blog.jacopo.io/en/post/apple-ocsp/). This looks pretty innocent, right? What can they do with the application ID and IP address? no thing.
Until you do it often, over different times, and from different locations. If you open certain apps (eg Photoshop, InDesign, Chrome) from IP-A between 9:00 and 17:00, Netflix, Spotify and Chrome from IP-B in the evening. Then you can reasonably locate your business and home with reverse Geo-IP. Combined with map data for example, this can even be traced back to the company you work for. By keeping track of which IP addresses you check in and when, it can also track your travel movements and sleep rhythms.
Suddenly, that little data you thought you were giving her isn’t innocent anymore.
Incidentally, I find it very remarkable that Facebook now only requires two-factor authentication (2FA) for such accounts.
“Total coffee specialist. Hardcore reader. Incurable music scholar. Web guru. Freelance troublemaker. Problem solver. Travel trailblazer.”