Facebook is reportedly spamming some users by text, using a cell number they provided only for use in two-factor authentication.

In common with many services, Facebook allows you to protect your account by requiring a code when you first login from a new device. That code is texted to a cell number you provide for the purpose – but a number of users have reported it being used without their permission for notifications about posts by friends …

Software engineer Gabriel Lewis seems to have been the first to report it.

So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall.

The Verge reports that the issue got more attention thanks to a subsequent series of tweets.

Lewis’ case gained steam today when prominent technology critic and sociologist Zeynep Tufekci tweeted about it in a series of harsh criticisms of Facebook and its behavior regarding alleged “juicing” of its user engagement metrics.

Gizmodo’s Kate Conger found the same thing happening to her, stating that it started when she had a largely unused account.

At first, I only got one or two texts from Facebook per month. But as my profile stagnated, I got more and more messages. In January, Facebook texted me six times—mostly with updates about what my ex was posting. This month, I’ve already gotten four texts from Facebook. One is about a post from a former intern; I don’t recognise the name of one of the other “friends” Facebook messaged me about.

She said that not only was the spam unwelcome, it was insensitive.

It’s painful to see my ex’s name popping up on my phone all the time, and while my intern was great at her job, I’m not invested in keeping up with her personal life.

To make matters worse, some people have replied to the spam texts with STOP messages or similar – and these have ended up posted on Facebook.

I’d just gotten a text from Facebook letting me know that my former boss had commented on a post. “Abusing a security tool like 2fa to spam users is a really shitty, shortsighted thing to do,” I texted back.

One minute later, I got a text from my former boss. “Hey did someone break into your FB?” he asked. My rant about two-factor authentication had showed up as a comment on vacation photos he’d posted two weeks ago.

Replies ending up as comments appears to be a bizarre bug, but the spamming seems intentional.

In many countries, misusing a phone number in this way is illegal. In the UK, for example, it would contravene the Data Protection Act. In all countries, it’s at the very least unethical. It’s particularly unwelcome if it discourages people from using 2FA – an important security tool.

Facebook gave the same vague and unsatisfactory statement to both sites.

We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.

Photo: Bloomberg

Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear