Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Meta is using my 2FA to call and sell me
317 points by codyZ on Oct 26, 2022 | hide | past | favorite | 80 comments
I run a couple of businesses with ad accounts connected to my personal account.

I received multiple calls this morning on my personal cell that's used for 2FA for my personal FB account. All of them, they were pitching me ads to buy for my business accounts.

None of my business accounts have my personal cell on them.

Edit: Now my personal email connected is getting emails to purchase business ads...




If you are in the USA, then what you received are unsolicited marketing phone calls under the TCPA, a law which allows you to personally collect up to $1500 per violation of the law or associated regulations, per phone call that you received. If your personal phone is on the federal "Do Not Call" registry, it's possible that there are at least two violations of the law per phone call you received.

I would suggest sending a demand letter to Meta's legal department offering to settle for somewhat less than $1500 per violation. Here's an example: https://www.junkfax.org/w/images/0/0b/SampleDemandLetter.pdf

If they ignore you, be prepared to file a local case in small claims court (which you can do yourself without an attorney). The court can force them to pay you if you present evidence of the calls and the law(s) or regulations that were broken.

Disclaimer: I am not a laywer and this is not legal advice, but I have collected money from TCPA legal settlements in the past, each without needing to go to court.


Using Facebook Business Tools requires you to accept an arbitration clause, which may limit your ability to pursue small claims against them:

https://www.facebook.com/legal/commercial_terms/update


If they were using his business contacts, this seems like it would apply, as that data is collected from the business accounts which would fall under this agreement.

But does this apply when using personal account data? Does the business account agreement override the use of PII on a personal account to initiate business solicitations?

Definitely something to talk to a lawyer about.


Or just try small claims and see.


Sure, but you can pursue the claim in arbitration, and they'll pay the fees as long as you don't claim too much.

> Each party will be responsible for paying any AAA filing, administrative and arbitrator fees in accordance with AAA Rules, except that we will pay for your filing, administrative, and arbitrator fees if your Commercial Claim for damages does not exceed $75,000 and is non-frivolous (as measured by the standards set forth in Federal Rule of Civil Procedure 11(b))


This definitely makes the situation quite a bit more sticky, however hope is not completely lost IMHO. For example, there have been several cases recently dealing with binding arbitration clauses and the TCPA, and in several of them, the binding arbitration clause was found to be unenforceable [1].

If it were me, I'd still send the demand letter and see how it plays out.

[1] https://www.dnc.com/news/compelled-arbitration-tcpa-defense-...


If they show up to small claims court they are free to make that argument to change venue. Something tells me they won't show up though.


I thought that companies you are doing business with are allowed to call you. He has an account, they can call.

Also not a lawyer.


The TCPA requires express written consent to send marketing messages or phone calls to any personal phone number. Legal precedent dictates that online, this usually takes the form of a specific checkbox on the form where you're giving your phone number saying that you agree that the company can use the phone number for marketing purposes. I doubt Meta collects this type of express written consent for your 2FA phone number, but I guess it's possible.

There indeed used to be an exemption to the law involving an existing business relationship, but 1) this was only for residential land lines and never applied to cell phones, and 2) it was revoked on October 16, 2013. [1]

[1] https://tcpablog.com/new-tcpa-regulations-take-effect-on-oct...


I'd assume in this case that they'd be allowed to call his business.

It sounds like his personal contact details are entirely separate from his business ones. I don't believe they should ever be using personal details to contact a business.

Even if he did provide them his phone number. In many places, that data may only be used for the purpose for which it was given. If they request a phone number for 2FA and then use it to contact you it could absolutely be considered illegal.


Correct - My personal number is nowhere to be seen anywhere on the business account.


> ... this is not legal advice

How is it not?


Because only lawyers can give legal advice. Paralegals give paralegal advice. Non certified citizens give advice.


The same way someone who is not a doctor telling you to take apple cider vinegar pills to help with your digestive issues isn't medical advice.


That is not a statement of fact but a disclaimer of liability. I don't know how this plays out in other jurisdictions but it's hit epidemic levels here.

Some people get away with it though, like people with doctorates calling themselves Doctor on TV and giving out personal, relationship and medical advice while somehow managing not to be sued back to the Stone Age.

Edit: Am I wrong? Tell me why.


It’s advice on how to proceed with a potential legal matter.


Because you can sue a lawyer for misrepresentation but you can't sue someone for giving their advice


Yep. Since I'm not a lawyer it probably wasn't necessary to include the "not legal advice" bit, but I'm just trying to be clear.


It’s illegal for a non-lawyer to claim to be giving legal advice, so it’s traditional to be clear that you aren’t doing that. (Of course, I’m not claiming to give you legal advice on this.)


That doesn't apply when you have an existing business relationship. That constitutes express consent.

Never cross the streams on unrelated accounts.


This is incorrect; see my response elsewhere in the thread for details. Express written consent is always required to send marketing messages or make marketing calls to personal (residential land-line or mobile) phone numbers.


Just to be clear...

You're absolutely sure, 100%, this is Meta employees themselves calling you? And Meta sending you e-mails?

Not spammers, of which there are many, and they get your contact info from all sorts of places? And which often lead you to believe they're Meta when they're really just scamming you or trying to sell ad placement consulting/optimization services?

Because with "multiple" calls and emails... this sounds like 3rd-party spammers, not something Meta does. And while Meta has been loose in the past with walling off information internally (to put it mildly...), it's not like they sell your contact info to spammers or anything (simply because it's not worth the effort, the money's way too small for a company of their size). Third-party spammers, on the other hand, will get your personal info from anywhere and everywhere.

For you to make a credible claim that Meta is using your 2FA contact info for marketing, you've really got to be sure that it's 1) actually Meta contacting you and 2) that they got your phone number specifically from 2FA and not just from looking it up publicly the way salespeople do.


Indeed it is. I too thought that perhaps it was a scam. But the call was followed up by an email from business.fb.com and per their Help Center, it is indeed from Meta https://www.facebook.com/business/help/372703956148310


Note that the from address doesn't necessarily indicate where the email actually came from.


I have a feeling that Meta has some kind of internal system for slurping up everyone's contact info, and that some kind of bugs/criteria occasionally cross some streams.

Meta recruiting somehow got a hold of my name@amazon.com employer email -- which I have never posted publicly -- and started sending me recruitment emails to my work email. This struck me as incredibly unprofessional, though I understand it's almost certainly an automated system doing it.

I still don't know how they got the email address (though I guess it's just lastname+first initial, so they could have guessed?). I may have DM'd it to someone in a FB messenger chat? Maybe I used it in an "work email" field during sign up for some industry conference whose data later got hacked? A colleague accidentally merged their work/personal contact list and uploaded it somewhere? Who knows.


> I have a feeling that Meta has some kind of internal system for slurping up everyone's contact info

Yes. It's called Facebook Messenger. All your friends have it installed on their phone and it has access to all the data in their phone's contact list, including anyone who might have saved it in the email field of their contact entry for you.

Right? Isn't this the oldest criticism of Facebook Messenger?


Or WhatsApp for that matter, which has access to a lot more people's contacts, even those who might otherwise deny contacts permission to Facebook Messenger.


And people call me still crazy because I haven't given WhatsApp access to my contact list...

While I understant that it helps only a little since all my friends have given.


I learned my lesson about that the hard way back in the early 00s

I logged into LinkedIn, and it seemed like it was loading, but then the login failed and it prompted me to log in again. I tried and it didn't work, then looked more carefully.. and the second login prompt was actually a "Give us your e-mail login so we can scrape all your contacts and spam them" prompt.

Hoo boy, glad I was using separate passwords for everything


This struck me as incredibly unprofessional, though I understand it's almost certainly an automated system doing it.

How does "automated system" somehow mitigate it being unprofessional? If you're going to make an automated system, part of professionalism is to make sure it actually works correctly. But then, look at how many people are hiding behind 'it's an algorithm so we can't be held accountable' these days.


services like apollo or hunter.io

some bdr signed into an account, gave up an email address book, and that information was given to these companies who do "give me a name and a company, and i'll give you their email" services.


I don't know when and I don't know how, but at some point we're going to have to start attaching provenance to data instead of building stringly typed systems where we copy data around as snippets of text orphaned from all possible context.

I suspect the biggest problem with that is not languages and frameworks, which are definitely going to be a problem, but databases. There is no way to map any of this into columns in any database I know about, and I don't know whether databases or operating systems evolve more slowly but they're both bottom quartile for sure. If you build provenance into or onto a prominent databases, we could have multiple frameworks and toolchains within a couple of years.

If you squint a little, Rails has a 1-bit provenance facility, in the form of "have I escaped this string for display in HTML yet?" That is one of a number of aspects that make up "where did you get this?". Rails also has a bespoke system that won't log anything stored in a field called 'password', but it would be better if we could tag tokens, passwords, and private communications as privileged information, and carry that around even if someone does something questionably like interpolates a password into an error message, and then someone else prints that error where it can be seen.

Things get a little tricky with interpolation, because now I need some sort of cardinality to say that the union of data of Type X and Type Y results in data of Type Y, or better Type X,Y which we treat more conservatively because of strict rules on Type Y data.

When I was in college I was briefly recruited by a company that made a Unix Window Manager for the Defense and Intelligence communities. The elevator pitch had a sort of simpler version of this idea. You had a different desktop for each security level, and the clipboard only worked from low security to high security windows. You could paste information from a window showing generally available information into a classified document, but you could not paste from a classified window back into an unclassified document. Yes that meant you couldn't paste a quote from a Presidential Speech out of a classified document, but you also couldn't accidentally select the next three lines of text and past those someplace bad.


When I was in college I was briefly recruited by a company that made a Unix Window Manager for the Defense and Intelligence communities.

Secureware?


Not them, but I honestly couldn't tell you who they were, or if they're still around. It's been a long time, there was a little hint of nepotism involved, and it would have meant staying locally so I dumped most of the details from my brain.


Inversely, Amazon has also emailed me at my company address


generally most people check company then do,

- firstname@company.email

- firstnamelastname@company.email

- firstname-lastname@company.email

- firstname.lastname@company.email

from the recruitment side, cause I have asked this question to my company's HR... :P

hackers do it as well hence why I am always stressed about phishing, though recruitment mail on professional ids is still rather rare, recruiters also prefer to use personal email if available or so I have heard from a subset of them.

Try checking if it maybe some kind of phishing scam, I have seen those a lot, recruitment phishing is like the most common case of successful phishing.


It was definitely not phishing -- I had a friend of mine who works for Meta reach out to the specific recruiter internally and ask them to not do that. They apologized, but a few months later a different recruiter reached out to the same work email.

They have my personal email, because they send recruitment spam to that one too.


Are you sure it's not in LinkedIn system? That's where a lot of recruiters buy data from.


Just verified it's not in any of my LinkedIn settings, also no other company has ever reached out via that employer email, only Meta, so it seems like Meta is the only one who knows about it (or is the only one who uses it, which seems unlikely).


So meta engineers saw all those headlines about Twitter misusing 2FA phone numbers and instead of making sure it didn’t happen to them, kept them available to employees to “accidentally” use as well.

Oopsie daisy! Tee hee, it was an honest mistake because ${team} didn’t know they weren’t supposed to!


Well no nice rhetoric but there are privacy reviews at Meta now to prevent these things. OP should collect evidence for why they think it was Meta and report it. Then it can be investigated properly and dealt with if true.

I’m skeptical that it was Meta, given the zero evidence provided here. Unless the OP just pays for a phone number that is only used for Meta 2FA.. but that is a lot of money to have a phone number per a 2FA.


Nice rhetoric yourself. I am sure big mega corp has nice checks in place to try and prevent these things, but no system is perfect, nor exhaustive. That's the problem when you are a data sink as a business, your #1 incentive is to keep the data flowing in.

You would think that when you hand someone your telephone number and they promise to secure it or only use it for a specific purpose, the onus is on them to prove they didn't misuse it.


> You would think that when you hand someone your telephone number and they promise to secure it or only use it for a specific purpose, the onus is on them to prove they didn't misuse it.

How could this be acceptably proven, in your opinion, if at all? "This information has never been misused" is the null hypothesis; it can never be proven for certain, from the moment the information is out of your direct control.


Proving it is another issue all together. Raising a reasonable concern that it was misused or mishandled triggers the process. And the process will uncover the the facts of the matter. For telephone numbers, the laws and regulations are pretty well written.


Engineers don’t make decisions like that. Engineers got told to do it.


https://reportfraud.ftc.gov/


Assuming this kind of thing is fraud how does it manage to even happen at a company as large as Facebook? Is it on accident through some reckless merging of databases or is it on purpose and they think they are just too big to care about laws? It seems like Facebook must know what the law is.


My guess would be institutional pushes against any checks on data usage. Somebody implements 2FA. Somebody reduces the number of redundant databases. Somebody implements a new marketing plan. Somebody audits their legal compliance, and finds nothing wrong because the database doesn't record the provenance of each entry.

Individuals at Facebook know the law, and may even have individual incentives to follow the law. Facebook as an emergent entity, as an inhuman eldritch being built upon humans as component parts, cares nothing for the law.


Seems like a case of scraping the bottom of the barrel in a panic


It's more likely that you gave your phone number out somewhere more sketchy. The personal email thing sounds like straight fraud.

As someone who works for Meta and and sees all the privacy trainings and the hoops you have to jump through to do anything with user data anymore at this company, someone is definitely getting fired for this if it was indeed Meta's fault and intentional.


Facebook is the absolute worst with this, Google second.

We spend >$10m on ads annually on FB, yet haven't had a dedicated account rep since 2019.

Instead, they farm out "account marketing specialists" who pitch you on giving up more control to FB algo and generally have significantly less insight and experience with FB ads than the people they are calling.

One week last summer, I received 8 calls in a single day from different FB marking reps. I think they had some kind of call queue system based on the number of ad accounts, instead of on "Business manager" accounts, but it took a lot of firmly saying "Remove me from this list" and accusing them of phishing to get it to stop.

I just assumed I gave my cell to FB at some point, never thought of 2FA.


It probably wasn't Meta but some scammers.


Vote for candidates that support stronger consumer protection and data privacy laws. Do not give your personal information to companies that do not directly need it for the service you're engaging in. Delete your facebook accounts yesterday.

Services that require a phone number like twitter, discord, blizzard, signal, twitch, etc are giving you a heads up that they're abusive and will work against your interests. Stay far away.


This is why I really hate how the big players are gating user access through phone numbers and smartphones.

Even government portals are copying the tactic. (I didn't agree to a draconian ToS recently for an online fee filing, and it took months and hours on the phone just to make a simple VISA payment).


Facebook already used 2FA gathered numbers for ads in the past so I'm not sure why there is so much doubt in this story.

https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...


Because the article you linked has no sources?


You should probably use an app like Aegis (Android) or Raivo (iOS) for two-factor authentication rather than your personal phone number.


FB does not allow you to use 2FA apps like that without giving them a phone number first (at least this is how it worked in the past).


Shame if that is (or was?) the case, but it hasn’t been my experience at least.


Wouldn't be the first time this happened, but it's hard to verify this without any hard data. Follow up with Meta via your business account and ask them to explain or you'll go the FTC and press (me).


They already paid a multi billion dollar fine for misusing 2FA phone numbers and have insane process to prevent this specific scenario. Way more likely that OP put their phone number somewhere else.


Their year over year revenue fell in June. They are reporting revenue today after the close of trading, and the stock is currently down 5%: https://finance.yahoo.com/quote/META/?

So it may well be that they have bad news and are under pressure to say that they are trying to improve revenue.


Don't use your personal mobile phone for 2FA.

Use a "2FA Mule" that is only for that purpose:

https://kozubik.com/items/2famule/

I have the ringers silenced on mine so I wouldn't know if they got any spam calls ... and I assume they do ...


Google Voice is free and will forward SMS's to email, which can then be set up with rules to various other emails. Most banks accept google voice numbers

Twilio numbers are a dollar a month and will also forward to email or you can log into the twilio web interface to pick up sms codes if needed. Rejected by more places the demand 2FA


Some services don't allow GVoice 2fa. I tried it for instagram because I refuse to give Facebook my real number and they rejected it.


Same, although my goal was to use a Google Voice number that could be shared amongst a team, for integrating with Facebook's APIs.


Agreed. Definitely some USA banks do not (with one of my accounts, neither the SMS nor the automated call would come through the GV number), and although a few years since last I tried, craigslist would not accept GV for account verification.


"Google Voice is free and will forward SMS's to email ..."

...

"Twilio numbers are a dollar a month ..."

I wanted very much to keep my telephony within twilio and maximize the mini-telco that I built for myself there ... however almost zero 2FA requirements can be fulfilled with "voip" numbers that are not honest-to-god mobile tagged phone numbers.

That's the whole point of the 2FA Mule, etc.


I have a bridge to sell anyone who actually believed companies requesting your phone number for "security" purposes wouldn't make that information available to the rest of their business activities.


Did not get a sales pitch, but added my phone number as 2FA a couple days ago and started receiving FB notifications via text msg. Despite having muted all FB notifications years ago.


Sounds like alarmist reaction without proper evidence.

How do you even know it is Meta? Anybody can get your phone #, and it is super easy to get spam.


I also thought it was a scam call but they followed up with an email to my personal email tied to my personal email from sign up from @business.fb.com domain per their help center https://www.facebook.com/business/help/372703956148310


Your anecdote isn't really evidence of anything and I'm skeptical that this is the case.


https://en.wikipedia.org/wiki/Anecdotal_evidence


Perhaps I am an isolated incident and honestly hope for the sake of the community that it is. But they followed up with an email to my personal email tied to my personal email from sign up from @business.fb.com domain per their help center https://www.facebook.com/business/help/372703956148310


Gotta pump up the numbers before market close and earnings


Didn’t Twitter just get hit with fines for this?


Yes: https://www.ftc.gov/news-events/news/press-releases/2022/05/...


Please stop using phones/sms as 2FA.


Tell that to all the shitty companies who require 2FA and only offer it by phone/sms

EDIT: and by "shitty" I mean my bank among many other equally important service providers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: