- Miss USA thought everyone spoke English—and the internet is not amused Thursday 8:02 PM
- Kanye’s Twitter tirade prompts apology from Drake Thursday 6:00 PM
- Listen to Pitbull cover Toto’s ‘Africa’ for the ‘Aquaman’ soundtrack—or don’t Thursday 4:55 PM
- Nancy Pelosi’s coat is the meme the resistance needed Thursday 4:39 PM
- Oprah says what was really on her mind while she ate bland chicken Thursday 4:00 PM
- Democrats predicted to go in on net neutrality when they take House Thursday 3:33 PM
- Holland Tunnel decorations are a real nightmare before Christmas Thursday 2:12 PM
- Amazon still won’t say whether ICE uses its facial recognition tech Thursday 1:13 PM
- Ninja to host Thursday Night Football Thursday 12:00 PM
- How to stream the NFL’s Week 15 for free Thursday 12:00 PM
- An undecorated room sets off a debate on Twitter Thursday 11:42 AM
- Netflix announces Taylor Swift ‘Reputation’ concert film Thursday 11:29 AM
- People are making memes out of these ‘leaked’ ‘Sonic the Hedgehog’ posters Thursday 11:12 AM
- How to watch the Liga MX final between Club América and Cruz Azul online for free Thursday 10:38 AM
- Parents shocked by KKK costumes in school play Thursday 10:11 AM
Don’t reply, or your message will get posted to your profile.
Two-factor authentication (2FA) is a widely recommended method for safeguarding your online accounts from hackers. But you might want to disable it on some of your social accounts.
For Facebook, the additional security measure appears to be an opportunity to exploit users by spamming them with notifications.
Software engineer Gabriel Lewis noticed sometime this week that the social network was using the phone number he provided for 2FA to send him notifications about friends’ posts. When he sent furious texts back, like “STOP” and “DO NOT TEXT ME,” they magically posted to his Facebook wall. Other users chimed in, confirming the behavior on both Facebook and its sister site Instagram. One user said he accidentally told friends and family to go to hell when he replied to the spam.
Same thing happened to me. I inadvertently told my friends and family to go hell when I replied to the spam.
— David Comdico (@dcomdico) February 14, 2018
Most disturbing is that Lewis claims he doesn’t have notifications turned on. He told Mashable he signed up for two-factor authentication on Dec. 17 and started seeing texts on Jan. 5. Lewis isn’t an active Facebook user, which suggests the company may be trying to re-engage him.
To everyone telling me to opt out of mobile notifications, I never opted in. pic.twitter.com/GKq71M4dRb
— Gabriel Lewis 🦆 (@Gabriel__Lewis) February 14, 2018
Unless Facebook is trying to deceitfully boost its slowing monthly active user base by tricking people into posting status updates, the troubling behavior may just be a bug. However, the vague explaination Facebook sent to the Daily Dot suggests the behavior is normal, and that users are at fault for not knowing that a security measure would end up spamming them.
“We give people control over their notifications, including those that relate to security features like two-factor authentication,” a Facebook spokesperson said. “We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.”
A lot of people are suggesting the Facebook SMS spam is a bug. Bullshit. Someone at FB made a deliberate decision to “re-engage users” by spamming all those mobile phone numbers 2FA users had entered. No bug here at all.
— Matthew Green (@matthew_d_green) February 14, 2018
It’s still unclear why the notifications are sent in the first place. Facebook also failed to say whether users are notified of the texts before they sign up for two-factor authentication. Its claim that users don’t need to register a phone number, while technically valid, is also misleading. Yes, there are other ways to set up two-factor authentication, but for most users, using their cell phone is the most convenient. The method Facebook recommends requires you to purchase a U2F security key.
This isn’t the first time Facebook has sent texts without user permission. The company was hit with a lawsuit in 2016 for sending unauthorized texts notifying users of their friend’s birthdays. The suit claims Facebook breached the Telephone Consumer Protection Act, which restricts organizations from sending unsolicited texts and phone calls. The company could find itself on the wrong end of more lawsuits if it fails to justify its latest intrusive behavior.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.