[collingreene]

I work at facebook on the security team.

This is an account recovery endpoint used if your account was hacked for example.

Your name, profile picture and a few other things are considered public information so there is no security issue displaying them. See: https://www.facebook.com/help/167709519956542

[collingreene]

Replying as discussion originally seemed to be about first/last/profile picture privacy.

The scenario is: you are not able to get into your rightful facebook account but you know some information (phone, email) that is associated with it. If you are coming from a semi-trusted computer/ip/browser/etc that has a history of being associated with your account Facebook displays some public information about that account to ensure one doesn't try to recover the wrong account. The posts here about people getting differing results when hitting this endpoint with other peoples information are a result of these factors.

Important note: If a user you are initiating a recovery for has their "who can look me up" privacy setting set to "everyone" then we will always display such information for that user. That setting discussed a bit more here: https://www.facebook.com/help/www/131297846947406

Hope that clears things up, this is one of the most common false positives we get via our bug bounty program and I certainly see how it can be alarming at first.

[cma]

Then why isn't there search by private email address or private phone number functionality exposed for everyone to use and know about?

[rajivm]

It is -- you can just type in an email or phone number in the normal Facebook search box.

[cma]

Not if the user set them to private.

[altrego99]

Yes, but the email address or phone number, is not. I would argue therefore, the information that the email or phone connects to the public information, is not.

[supersystem]

No, personally identifiable information isn't public information. What's exposed here is still personal information that you decided to make public, but presumably with the users consent.

[mrverde]

On Facebook, there are granular privacy settings to control who can search for you by email/phone number if you choose to use them. They're accessed by going to facebook.com/settings (dropdown arrow @ top right), then "Privacy", then "Who can look me up?" ...the analogy would be opting to have an unlisted phone number in the white pages back when they were printed on paper and arrived on your front doorstep.

[diminoten]

> No, personally identifiable information isn't public information.

It can be, for a plurality of reasons. Phone books, court records, etc.