Prakash explains how he stumbled on the idea for his exploit back in September:As seems typical with Facebook and privacy SNAFUs, nothing seems to have been done about this.
About a month ago I was just browsing FB on my FB mobile application and it had an option called “Find friends using contacts” ,what it does is that it compares the contact list from your phone to the FB database to see if you have any friends that are in your contacts but not on your Facebook account. I also later figured out that simply “searching” a persons phone number (Including country code) will show you their account.In other words, all you have to do is pick a random phone number, search for it on Facebook, and if the owner allows you to (and Prakesh argues that most people do because Facebook’s privacy settings are confusing), you’ll see their profile, which typically includes at least their name and profile picture, if not more information. If you write code to automate the task, as Prakash did, you can create a phone book of everyone who lets you look them up on the social network with just a phone number.
If you want to protect yourself, instructions are here. Or you could just not use Facebook, which works surprisingly well for me.