The scary thing is how much ones phone number (a somewhat ephemeral thing) is actually bound to your IDENTITY.
Considering your phone number is more and more being used in 2FA ... if you were to ever change your number and someone else got it, this would pose a serious security risk if you failed to change over ALL of your internet accounts 2FA to the new number.
I've always thought the most scary thing about this practice is that your (unique) phone number is a powerful "foreign key" which could potentially join data from many other leaked databases, forming an even larger dataset on you.
There are plently of other places we give our phone numbers to, which might not have anywhere near the protections that Facebook say they provide.
Absolutely, and e-mail or Paypal account name too. Neither of them are trivial to change. If you try to create a new account for each thing at a generic mail provider such as Gmail, your accounts will be shut down by automatic abuse filters. If you roll your own domain, then, well... the domain becomes the foreign key.
The solution to this is unlimited true email aliases as e.g. StartMail [1] and Fastmail [2] provide. I wish this was more common place for email provider. Besides the front up cost of developing / setting up the solution, email aliases have the marginal cost of one small database row per alias. And it would be such a boon for privacy.
Would using a separate service email accounts help mitigate issues? seng-baking@gmail.com, then seng-banking+icici@gmail.com, seng-banking+axis@gmail.com, etc? That way my primary email would stay private and will used only for email, not for identity.
Your private email that you don't use for signing up anywhere is irrelevant except for phishing and spam. Your secondary email address will become the foreign key that is used to correlate the datasets from everywhere you signed up with it. The +tags can just be removed since it is known how they work. Might give you a small protection against attackers who don't know about email address tags.
Considering your phone number is more and more being used in 2FA ... if you were to ever change your number and someone else got it, this would pose a serious security risk if you failed to change over ALL of your internet accounts 2FA to the new number.