My legs were sticking to the vinyl back seat of a NYC cab when I received the email on a Thursday this July. I was running late to an afternoon dentist appointment, and sending messages on Facebook Messenger. Most of the conversations were for a story I was reporting about a Facebook group for sexual assault survivors, which had been overtaken by abusers.
At the time, I was messaging with one of the abusers—who was using a fake profile—hoping to find out how they weaponized the group for harassment. In the middle of our exchange, I received an email from Facebook, which said, “We wanted to let you know that your mobile number was removed from your account. Because of this, we’ve turned off two-factor authentication on your account to make sure you don’t get locked out when using an unrecognized computer or mobile device to log in.”
I hadn't removed my phone number; I immediately assumed I had been hacked, especially given the story I was reporting. Like hundreds of millions of people around the world, my Facebook account contains the record of a decade of my life. But in this case, my messages also contained stories of harassment by the same person I believed had breached my account.
The message didn’t include an easy way to notify Facebook that I hadn’t authorized the change, though there was a button informing me I could add a new mobile number if I wished. From the taxi, I called my editor, as well as another colleague, in an effort to contact Facebook as soon as possible.
While I paced my dentist’s office and tried to explain the situation to the receptionist, my coworker reset my password from a laptop at work. She checked the “active sessions” on my account, the devices on which I was logged in. She didn't find anything amiss—my Facebook looked normal.
At the time, Facebook also could find nothing wrong. I switched from SMS two-factor authentication to one of Facebook’s newer, more secure methods of safeguarding my account, and hoped that everything was OK.
>
As it turns out, it mostly was. This week, Facebook confirmed that I had actually encountered a bug that automatically turned off two-factor authentication when users changed their phone number, or adjusted the privacy settings associated with it. In my case, as part of undergoing a Facebook "privacy checkup" before messaging the troll, I had made the number on my account visible only to me. Because of the bug, Facebook thought I was removing my number altogether, and turned SMS two-factor authentication off.
Facebook says the issue affected “a very select number of people,” though it did not specify a number. “We thank Ms. Matsakis for bringing this to our attention. We addressed the issue as soon as we were made aware of it. We continue to encourage people to apply two-factor authentication, and if this security feature is deactivated for any reason, Facebook will notify you of the change,” Pete Voss, Facebook’s security communications manager, said in a statement.
He added that these sorts of problems are brought to Facebook’s attention regularly, and you can report your own issue here. As a journalist, I was able to get someone from Facebook’ s communications team on the phone quickly, and she made sure my case was addressed. But the vast majority of Facebook users who experience a security problem aren’t able to talk to someone right away. A normal Facebook user in my situation may have also ignored or missed the initial email about two-factor authentication being turned off—leaving their account far less secure than they intended.
This is also the second SMS two-factor authentication bug that Facebook has suffered this year. In February, the social network sent unsolicited marketing messages to the phone number users signed up with for two-factor authentication, an issue it later admitted was a mistake.
If anything, the incident is fodder for the argument that we should all be moving away from SMS two-factor authentication, for more pressing reasons beyond Facebook bugs.
But my stressful dentist appointment in July unearthed more than just a lesson about security hygiene. It’s evidence of the implicit trust we all put in Facebook to safeguard our most sensitive communications. I immediately took for truth the unlikely scenario that I was hacked, even when all signs pointed to a problem with Facebook’s systems. The platforms we rely on the most are built by humans, which means they'll always make mistakes.