One of the easiest and most effective ways to protect your online accounts is to sign up for two-factor authentication. This simple security measure requires a site knowing your contact information so it can inform you if a hacker attempts to access your account. To its credit, Facebook encourages its users to sign up for this feature, but according to a report in Gizmodo this week, the social media giant also uses that contact information to target advertising.

Computer science professor Alan Mislove teamed up with Gizmodo to prove this theory. To test it, Gizmodo writer Kashmir Hill directed an ad to display to a Facebook account associated with Mislove’s landline number. Facebook had previously told Hill this wouldn’t work — but Mislove saw the ad several hours later.

This is a big deal because that phone number wasn’t one that Mislove had in his public profile. Indeed, Facebook can target you using all kinds of information, including what you’ve provided to the site for security purposes, and sometimes by using info you haven’t given it at all.

“Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising,” Hill wrote. “It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all, but that was collected from other people’s contact books.”

Facebook has not been up front about this practice, but it’s still worth using two-factor authentication anyway. Some security is better than none, even if Facebook is overstepping its bounds in the process.