Facebook accused of spamming 2FA phone numbers

Facebook is being accused of spamming people via the phone numbers they used to turn on two-factor authentication (2FA) and posting their “PLEASE STOP!!” replies to their walls.

Software engineer Gabriel Lewis noticed it late last month and told Facebook to please knock it off: a request that 1) Facebook’s systems ignored, merrily continuing to spam him and then 2) auto-posted to his wall.


Nobody’s sure if it’s a feature meant to drive engagement – is Facebook suffering separation anxiety over its recent traffic decline? – or if it’s a bug.

From the sounds of the statement it’s sending to press, Facebook itself apparently doesn’t know. A Facebook representative told The Verge, for one, that it’s looking into the text notification issue.

We’re looking into this situation to see if there’s more we can do to help people avoid unexpected or unwanted communications.

Its statement says that users can refrain from using their phone numbers for its 2FA system and instead use a code generator with an authenticator app such as Sophos Authenticator (also included in our free Sophos Mobile Security for Android and iOS).

We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.

The Verge says it confirmed that this is happening with any reply to a Facebook 2FA text message. At least one user said on Twitter that Instagram has also spammed them with notifications to their 2FA phone number.

Lewis says he never opted in to notifications via text messaging to begin with, yet still, he and other sufferers have to put up with text spam.

As of Wednesday, some people were getting pretty steamed, with many insisting that this is clearly not a bug and accusing Facebook’s marketing of running amok:

Of course, simply insisting that something must be deliberate doesn’t make it so.

We’re trying to get more details out of Facebook and we’ll update the story if we get them.

In the meantime users might want to look at Facebook’s Code Generator for 2FA. Not only could it help with this feature/bug, it’s also widely considered to be a safer sort of 2FA than using SMS.

Update. Facebook’s Chief Security Officer, Alex Stamos, has publicly stated that “this was not an intentional decision; this was a bug“. The reason why replies sent via SMS ended up published as status notifications turned out to be a left-over feature from when people actually used SMSes to interact with Facebook. According to Stamos, “this feature is less useful these days.” No kidding! Apparently, Facebook is “working to deprecate this functionality soon.” Deprecate doesn’t mean the same as discontinue, and soon doesn’t really mean anything – but Facebook has officially used the words “we are sorry” and “this was a bug”, which is a lot better than many companies manage in the aftermath of a breach, vulnerability, bug or outage. [Added by Paul Ducklin @ 2018-02-17T15:30Z.]