Update: According to a note published on Friday by Facebook’s Chief Security Officer Alex Stamos, it was indeed a bug.
“When we heard about this, we looked into it right away,” he began.
No ad to show here.
“Two-factor authentication is an important security feature that has helped a lot of people mitigate the risk of phishing attempts and helps protect people from having their accounts compromised. We also give people control over their notifications, and the last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications.”
He continued that it was “not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused.”
“We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days.
“To reiterate, this was not an intentional decision; this was a bug,” he concluded.
Original article: If you thought SMS spam was only something you’d receive from desperate insurance companies, think again. In fact, think Facebook.
According to Twitter user Gabriel Lewis, Facebook is sending him SMS spam after he added his mobile number to the social network to enable two-factor authentication (2FA).
2FA is essentially an additional layer of security added to your account when logging in, usually requiring a mobile number and a unique code sent to said number. However, Lewis has received more than just a code since enabling it.
“So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications,” he tweeted earlier this week. Lewis also did not activate the text messaging notification feature either.
So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall.
pic.twitter.com/Fy44b07wNg — Gabriel Lewis
(@Gabriel__Lewis) February 12, 2018
But more disturbing still is that Facebook posted his replies of “pls stop” and “DO NOT TEXT ME” to his Facebook wall.
If SMS spamming wasn’t enough, Facebook also posted Lewis’s ‘DO NOT TEXT ME’ replies to his wall
Both The Verge and Mashable reached out to Facebook, and the company’s replies were largely accusatory.
“We give people control over their notifications, including those that relate to security features like two-factor authentication,” it told both publications. “We’re looking into this situation to see if there’s more we can do to help people manage their communications.”
SMS spam is nothing new, but using a number linked to 2FA — a system that’s supposed to ensure security and privacy when one logs into their account — is low.
Users can enable 2FA without using the SMS system, and instead use a code generator app like Google Authenticator or Authy, but Facebook would rather you add your mobile number too. You know, for added security.
“You can use as many authentication methods as you’d like, but you need to have at least text message (SMS) codes turned on, or at least both a security key and Code Generator turned on,” reads the company’s documentation.
Lewis isn’t the only one experiencing the issue, and Facebook has not clarified whether it’s indeed a strange bug, or a filthy way to fish for boosted user engagement.
Simply stunning. I was annoyed at getting yet another text from Facebook last night, so I replied with “fuck off”. @yearofmoo asked me at work today “what was that fuck off thing”, I was pretty confused
They just post your SMS replies as posts to your wall
pic.twitter.com/7wTGpC271p — Rob Wormald (@robwormald) February 15, 2018
Instagram users have also seen banners asking them to enable SMS updates, but this isn’t quite the level of invasion Lewis has experienced.
it was really weird to me that instagram told me to keep my account secure by turning on sms updates? (shortly after i saw you post rhis too) i guess at least they’re transparent that it will lead to them texting me updates? idk still really weird tho pic.twitter.com/4ZCJKljZEk
— drake thomas birkner chip star (@halfdope) February 15, 2018
So far, it seems that just users in the United States are experiencing the issue. There has been no indication from South African users affected, but we wouldn’t rule this out just yet.
On that note, if you’ve experienced spam from Facebook via SMS, let us know in the comments below.
Feature image: Memeburn