Facebook has officially confirmed that it was indeed using people's phone numbers — which they provided when upon signing up for two-factor authentication — to send them spam notifications and, when they replied, post status updates on their profile without consent.
But the fiasco was caused by a bug, according to the company, not something intentional. In a blog post, Facebook security head Alex Stamos confirmed that the error caused non-security related SMS notifications to be sent to people's phone numbers.
Facebook Security Chief Explains Two-Factor Authentication Fiasco
"When we heard about this, we looked into it right away. Two-factor authentication is an important security feature that has helped a lot of people mitigate the risk of phishing attempts and helps protect people from having their accounts compromised," Stamos wrote.
Facebook uses 362-65, or "FBOOK," as its two-factor authentication number, a secure way of confirming a user's identity be sending a numeric code to a secondary device — in this case, a mobile phone. This same automated number ended up mistakenly bombarding accounts with text notifications without the recipient opting into such a delivery system.
It's not certain when the issue started. Perhaps it has been going on for weeks, or maybe even months, until enough people complained about it on Twitter, whereupon the issue gained traction and was picked up by a handful of publications. Technology critic Zeynep Tufekci slammed Facebook for what she claims as unethical behavior, claiming that the notifications was intentionally done as a way to get accounts to post more often.
"This is how a business model can be so poisonous and harmful. This is unacceptable," said Tufekci.
"This is horrible. You give Facebook your phone number for login authentication; instead, it abuses it to SMS spam to drive up 'engagement', and when you reply to spam, is posts it on your wall."
Won't Happen Again, Says Facebook
Stamos has apologized for the bug and for the inconveniences it might have caused. Moving forward, people who sign up for two-factor authentication will never receive text notifications unrelated to security, unless they specifically opt-in for such texts. Then he stressed again that the fiasco was "not an intentional decision; this was a bug."
Stamos also gave an explanation as to why people's responses were being posted to Facebook as status updates. He said it's actually an old feature used at a time when SMS-to-Facebook posting was still a huge thing. It's working to "deprecate" this feature soon.