Facebook: Two-factor authentication spam was caused by a bug

The social network promises to roll out a fix in the next few days.

Busakorn Pongparnit via Getty Images

A number of people have been receiving random notifications from Facebook after giving the social network their phone number for two-factor authentication. Worse, if they attempt to cancel that by replying to the message, say with STOP or CANCEL, Facebook would post their replies as a status update for all to see. Now, the social network has admitted that the issues were caused by a bug and promised to roll out a fix that will stop non-security-related notifications in the next few days.

Facebook Chief Security Officer Alex Stamos explained that the website didn't intentionally spam people who signed up for two-factor using their phone numbers. After all, Facebook doesn't want to deter people from signing up for 2FA. "[T]he last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications," he said.

The exec has also revealed that responses to the notifications got posted as status updates due to an old feature that allowed posting via text message. Obviously, that's no longer as useful in a world where WiFi hotspots and mobile data are becoming more and more common. That's why Facebook is now working to deprecate that feature, so those sick of getting random notifications can rage-reply to them without having to worry that their friends would witness their meltdown.

Until Facebook rolls out a fix, those affected by the bug can go to Settings > Notifications to switch off text notifications. (That's what I did when I started getting these messages some months ago.) Those who'd rather not risk the same thing happening in the future can choose to use a physical key or one of those code-generating apps instead of giving their phone numbers to the social network.