Facebook Apologizes For Heinous Two-Factor Authentication Spam And Offers A Fix


It is amazing what a little public shaming will do, especially in this day and age of social media. Not that we are advocating being an online bully or anything like that (please don't be). However, Facebook is making a change to the way it handles two-factor authentication on mobile devices after it was lambasted online for spamming users with unrelated notifications when enabling the added security precaution.

Let's start with the backstory. In a recent Twitter post, a Facebook user and software engineer named Gabriel Lewis complained that he was receiving notifications on his phone after enabling two-factor authentication. The notifications had nothing to do with security, and instead were links to posts of assumed interest by his Facebook friends. In essence, Facebook took advantage of enabling two-factor authentication by spamming his phone with notifications.

Even worse, any replies he made to the text messages were posted on his wall. For example, he texted "stop," "Pls stop," and "STOP" to try and get Facebook to stop sending him unrelated notifications. It didn't work, and each of those replies ended up on his wall.

Kate Conger, a writer at Gizmodo, said she experienced the same thing. Only in her case, she wrote in a reply, "Abusing a security tool like 2fa to spam users is a really sh***y shortsighted thing to do," which Facebook embarrassingly posted as a comment on a vacation phone that her boss posted two weeks prior. Her boss was understandably confused, putting Conger in the uncomfortable position of explained why she cursed at one of his vacation pics. Not cool.

News of Facebook's bad behavior quickly spread, prompting an apology and an upcoming fix.

"It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused," said Alex Stamos, Facebook's chief security officer. "We are working to ensure that people who sign up for two-factor authentication won't receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug."

The apparent "bug" is that Facebook enables mobile notifications by default when turning on two-factor authentication. This should be an opt-in feature, not an opt-out one, and apparently Facebook is working to make it so. In the meantime, if this is something that affects you, go to Settings > Notifications to toggle them off.

Stamos also addressed the issue of why responses to notifications were being posted as status updates.

"For years, before the ubiquity of smartphones, we supported posting to Facebook via text message, but this feature is less useful these days. As a result, we are working to deprecate this functionality soon," Stamos said.

Sounds like a good plan to us.