Desperate Facebook poisons the well, spamming disenchanted users with torrents of notifications, including through 2FA

As Facebook users drift away from the platform, the company is becoming increasingly desperate to lure them back, doubling down on its obnoxious tactic of spamming users whose activity has fallen off with notifications intended to pique their interest in using the service again.

This has always been obnoxious, but it's getting much worse. The service is scraping the barrel for things to notify users about — "acquaintance comments on someone else's photo" — and also desperately using two-factor authentication channels like SMS to send these missives.

So if you give Facebook your phone number and permission to send you SMSes to stop your account from being hacked, the company starts sending you text messages to let you know that a distant cousin has changed their relationship status. When you reply to these SMSes (for example, by texting "STOP" in a bid to get your SMSes back again), the service helpfully posts your reply to whatever update you've been notified about.

Facebook CSO Alex Stamos — a consistently good egg whose final day at the company is mere weeks away — says that this was a "bug" and that the company would halt the practice.

It had better. If your goal was to discourage people from signing up for extra layers of security, you could hardly do better than to exploit those security measures to pester them in a transparent bid to get them to increase their engagement with your service.

Facebook's response about what was happening with SMS messages didn't shed very much light on the issue. "We give people control over their notifications, including those that relate to security features like two-factor authentication. We're looking into this situation to see if there's more we can do to help people manage their communications," a spokesperson said in a statement.

But in a blog post Friday, Facebook's security head Alex Stamos described the SMS spam as a bug. "It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused," Stamos wrote, adding that the company would soon do away with the ability to post to Facebook via SMS.1

Facebook Notification Spam Has Crossed the Line [Louise Matsakis/Wired]