Facebook data-use policy says,
“We do not share information that personally identifies you (personally identifiable information is information like name or email address that can by itself be used to contact you or identifies who you are) with advertising, measurement or analytics partners unless you give us permission”
But against its own policy, Facebook’s ad-targeting tools could have leaked user’s phone numbers from their email addresses, who visits marketing websites. Group of researchers found the vulnerability and earned bug bounty of $5000. Researchers explains in a paper how they used one of Facebook’s self-serve ad-targeting tools called Custom Audiences to collect users phone numbers. Facebook fixed the bug on 22nd December, company says it has no evidence anyone took advantage of the flaw to obtain user phone numbers. It wasn’t easy to exploit.