You’ve probably heard about Facebook’s recent problems, around SMS notifications sent using its two-factor authentication system. The company’s chief security officer, Alex Stamos, explained the same in a blog post. The messages were apparently sent due to a bug that caused it to “send non-security-related SMS notifications to these phone numbers”. The company uses the automated number 362-65, for its two-factor authentication number.
A bug in that system is important, since two-factor is meant to be for security in the first place. A numeric code is sent to the user’s smartphone in order to allow them to login to devices. In the recent issue, the company ended up sending notifications to users without their consent. When someone tried to stop these notifications by replying to them, the messages were being posted to their own profiles, as status messages.
It seems the issue may have existed for months, and even longer. It was first reported by Gabriel Lewi, a software engineer in the Bay Area. Lewi tweeted about it earlier in the week. “I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past,” wrote Stamos, in the blog.