Facebook has always nudged truant users back to its platform though emails and notifications. But recently, those prods have evolved beyond comments related to activity on your own profile. Now Facebook will nag you when an acquaintance comments on someone else’s photo, or when a distant family member updates their status. The spamming has even extended to those who sign up for two-factor authentication—which is a great way to turn people off to that extra layer of security.

“The part of it that bugs me is that two-factor authentication is something [Facebook] should be encouraging people to use, but instead the way this is working here is that they’re driving people away from two-factor and making people less secure,” says Matt Green, a professor at the Johns Hopkins University Information Security Institute, who has done contracted security work for Facebook in the past. “It’s abusive, people’s attention is deliberately tweaked by what looks like a two-factor authentication message.”

Green says he’s received near-daily SMS messages from Facebook since January alerting him that one of his friends performed some action on the platform. Before he started receiving the messages, Green says he hadn’t logged into Facebook for a long time and had actually forgotten his password.

The weirdest part about the SMS notifications is what happens if you reply to them. If you respond, your message is posted to your own profile. If the notifications involve someone else’s content, users say the text replies inadvertently show up as comments on other people’s photos or statuses. I set up text two-factor authentication myself to try this out, and my text reply did end up on my own profile.

Facebook

Facebook's response about what was happening with SMS messages didn't shed very much light on the issue. “We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications,” a spokesperson said in a statement.

But in a blog post Friday, Facebook's security head Alex Stamos described the SMS spam as a bug. "It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused," Stamos wrote, adding that the company would soon do away with the ability to post to Facebook via SMS.1