Instead of using two-factor authentication phone numbers as an extra security measure, Facebook added them to their ad-targeting profiles
Moreover, she also recommended to users who are bothered about this practice to use an e-mail address for enabling two-factor authentication for their account.
The weird part in all of this is that Facebook decided to allow their users to use e-mails for two-factor authentication about four months ago, in a blog post by Scott Dickens.
"In describing this work to colleagues, many computer scientists were surprised by this and were even more surprised to learn that not only Facebook, but also Google, Pinterest, and Twitter all offer related services," Alan Mislove one of the researchers said. "Thus, we think there is a significant need to educate users about how exactly targeted advertising on such platforms works today."