Facebook’s Two-Factor System Is Sending Users Spam Texts and Posting Their Replies

Facebook has been sending texts and emails to inactive users.
Facebook has been sending texts and emails to inactive users.

Facebook users are receiving spam texts from the company on the phone numbers they entered for the platform’s two-factor authentication system—a problem that has reportedly been happening for months but just caught the public eye this week. People have taken to Twitter to further complain that their responses to the texts are being auto-posted onto their Facebook walls. When developer Gabriel Lewis tried to reply to the missive with a text message reading “Stop,” the command did not halt the spam but was instead posted onto his feed, a parable of tech-enabled miscommunication that he captured in screenshots:

Kate Conger detailed in Gizmodo her own experience with the flaw, which she claims has been a problem since last summer. Conger observes that the messages, which provided updates on her ex and other “friends,” became more incessant as she used her Facebook account less and less. When she texted back, “Abusing a security tool like 2fa to spam users is a really shitty, shortsighted thing to do,” the sentence appeared as a comment on her boss’s vacation pictures. She writes, “What’s most frustrating is that Facebook has taken a security feature like two-factor authentication—which gives users valuable protection from phishing and account takeovers—and perverted it into a tool for spam.”

It seems neither Conger nor Lewis opted into getting text messages. The Verge notes that, at least in Lewis’s case, Facebook purposefully contacting him by text without his express permission could violate the Telephone Consumer Protection Act. Facebook is facing a number of class-action lawsuits for allegedly failing to abide by this law. It’s unclear at the moment, however, whether the texts are a bug or feature of the platform’s two-factor system.

Facebook also sends emails to people who own inactive accounts, though the company has denied that this is a tactic to lure former users back onto the platform. Bloomberg reported in January that people have been receiving these emails with increasing frequency in countries such as India, Portugal, and the U.S.

A spokesperson for Facebook sent a statement to Slate: “We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.” Thanks, Facebook.

Update, Feb. 20, 11:30 a.m.: Facebook sent Slate a statement clarifying that the spam texts were the result of a bug. Alex Stamos, Facebook’s chief security officer, wrote in a blog post:

It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.