Facebook has been labelled “deceptive” by a campaign group, for sending adverts to the phone numbers people use to make their account more secure.
Many people use their phone as a second identity check when logging into their account.
In the past, Facebook has said any adverts reaching people were caused by software errors.
Now the social network says it uses the information to “personalise” Facebook for different users.
Details about the targeted ad campaigns emerged from research by academics at Northeastern University and Princeton University in the US. Reporters for tech news site Gizmodo also helped to stage tests which showed the data was being used to drive advertising.
The Electronic Frontier Foundation (EFF), which campaigns on digital rights, said people “explicitly” handed over the contact information to improve security and did not expect to see it used for marketing.
In some cases, said the EFF in a blog, Facebook got hold of phone numbers and other personal details even when they were not directly shared with the social network. Some of this information, called shadow profiles, was gathered on people who do not use the site at all.
The EFF was critical of Facebook and said the social network’s ad-generating practices were “deceptive and invasive” and ignored “reasonable security and privacy expectations”.
Writing on news site TechCrunch, Natasha Lomas said Facebook had been quizzed earlier in the year about why adverts were reaching people who had used their phone number as an identity guarantee.
At the time, said Ms Lomas, Facebook explained that the adverts were prompted by a bug in the site’s code.
In addition, she wrote, Facebook boss Mark Zuckerberg said it only gathered shadow profile data for “security purposes”.
In a statement, Facebook told the BBC: “We use the information people provide to offer a better, more personalised experience on Facebook, including ads.
“We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts.”
It added that Facebook users could “manage and delete” contact information they have shared at any time. However, other commentators pointed out that this might involve changing how people verify who they are.