An Undiscovered Facebook Bug Made Me Think I Was Hacked

My legs were sticking to the vinyl back seat of a NYC cab when I received the email on a Thursday this July. I was running late to an afternoon dentist appointment, and sending messages on Facebook Messenger. Most of the conversations were for a story I was reporting about a Facebook group for sexual assault survivors, which had been overtaken by abusers.

At the time, I was messaging with one of the abusers—who was using a fake profile—hoping to find out how they weaponized the group for harassment. In the middle of our exchange, I received an email from Facebook, which said, “We wanted to let you know that your mobile number was removed from your account. Because of this, we’ve turned off two-factor authentication on your account to make sure you don’t get locked out when using an unrecognized computer or mobile device to log in.”

I hadn’t removed my phone number; I immediately assumed I had been hacked, especially given the story I was reporting. Like hundreds of millions of people around the world, my Facebook account contains the record of a decade of my life. But in this case, my messages also contained stories of harassment by the same person I believed had breached my account.

The message didn’t include an easy way to notify Facebook that I hadn’t authorized the change, though there was a button informing me I could add a new mobile number if I wished. From the taxi, I called my editor, as well as another colleague, in an effort to contact Facebook as soon as possible.

While I paced my dentist’s office and tried to explain the situation to the receptionist, my coworker reset my password from a laptop at work. She checked the “active sessions” on my account, the devices on which I was logged in. She didn’t find anything amiss—my Facebook looked normal.

At the time, Facebook also could find nothing wrong. I switched from SMS two-factor authentication to one of Facebook’s newer, more secure methods of safeguarding my account, and hoped that everything was OK.

As it turns out, it mostly was. This week, Facebook confirmed that I had actually encountered a bug that automatically turned off two-factor authentication when users changed their phone number, or adjusted the privacy settings associated with it. In my case, as part of undergoing a Facebook “privacy checkup” before messaging the troll, I had made the number on my account visible only to me. Because of the bug, Facebook thought I was removing my number altogether, and turned SMS two-factor authentication off.

Facebook says the issue affected “a very select number of people,” though it did not specify a number. “We thank Ms. Matsakis for bringing this to our attention. We addressed the issue as soon as we were made aware of it. We continue to encourage people to apply two-factor authentication, and if this security feature is deactivated for any reason, Facebook will notify you of the change,” Pete Voss, Facebook’s security communications manager, said in a statement.

He added that these sorts of problems are brought to Facebook’s attention regularly, and you can report your own issue here. As a journalist, I was able to get someone from Facebook’ s communications team on the phone quickly, and she made sure my case was addressed. But the vast majority of Facebook users who experience a security problem aren’t able to talk to someone right away. A normal Facebook user in my situation may have also ignored or missed the initial email about two-factor authentication being turned off—leaving their account far less secure than they intended.

This is also the second SMS two-factor authentication bug that Facebook has suffered this year. In February, the social network sent unsolicited marketing messages to the phone number users signed up with for two-factor authentication, an issue it later admitted was a mistake.

If anything, the incident is fodder for the argument that we should all be moving away from SMS two-factor authentication, for more pressing reasons beyond Facebook bugs.

But my stressful dentist appointment in July unearthed more than just a lesson about security hygiene. It’s evidence of the implicit trust we all put in Facebook to safeguard our most sensitive communications. I immediately took for truth the unlikely scenario that I was hacked, even when all signs pointed to a problem with Facebook’s systems. The platforms we rely on the most are built by humans, which means they’ll always make mistakes.

More Great WIRED Stories