Facebook's Notification Spam Problem Was Caused By a 2FA Bug

Image: iStock

Facebook recently added two-factor authentication (2FA) to their network, plugging a long-standing security issue. The new system works using several different options for the second authentication factor including a security code sent to you via SMS. But it turns out people got a lot more messages than they bargained for when they took this option. As a result, users started getting notifications over SMS that had nothing to do with security.

Facebook' Chief Security Officer, Alex Stamos, said in a statement that the company is working on a fix that will be available in the "coming days".

Once the bug is resolved, it makes sense to turn this on if you're a Facebook user. There are instructions provided by Facebook that detail what 2FA options they offer. If you're keen to try it out before the SMS notification bug is resolved, you can use the Code Generator and security key option, so you can avoid receiving a bunch of useless text messages.

The impact of the big was exacerbated when users replying to the texts, sending the usual "stop" to turn off SMS notifications, saw those replies on their Facebook wall. This is because Facebook still supports the ability to send status updates by SMS. Stamos said the ability to post to Facebook via text message would be deprecated.


    SMS is insecure as a 2FA method due to the ability to intercept messages. Use code generator (either the FB app or a third party app) or an alternative method.

      Yep. NIST has basically downgraded SMS to not being a trusted system and that it shouldn’t be relied on for any secure transmission/application.

Join the discussion!

Trending Stories Right Now