Tell HN: Meta is using my 2FA to call and sell me

If you are in the USA, then what you received are unsolicited marketing phone calls under the TCPA, a law which allows you to personally collect up to $1500 per violation of the law or associated regulations, per phone call that you received. If your personal phone is on the federal "Do Not Call" registry, it's possible that there are at least two violations of the law per phone call you received.

I would suggest sending a demand letter to Meta's legal department offering to settle for somewhat less than $1500 per violation. Here's an example: https://www.junkfax.org/w/images/0/0b/SampleDemandLetter.pdf

If they ignore you, be prepared to file a local case in small claims court (which you can do yourself without an attorney). The court can force them to pay you if you present evidence of the calls and the law(s) or regulations that were broken.

Disclaimer: I am not a laywer and this is not legal advice, but I have collected money from TCPA legal settlements in the past, each without needing to go to court.

Just to be clear...

You're absolutely sure, 100%, this is Meta employees themselves calling you? And Meta sending you e-mails?

Not spammers, of which there are many, and they get your contact info from all sorts of places? And which often lead you to believe they're Meta when they're really just scamming you or trying to sell ad placement consulting/optimization services?

Because with "multiple" calls and emails... this sounds like 3rd-party spammers, not something Meta does. And while Meta has been loose in the past with walling off information internally (to put it mildly...), it's not like they sell your contact info to spammers or anything (simply because it's not worth the effort, the money's way too small for a company of their size). Third-party spammers, on the other hand, will get your personal info from anywhere and everywhere.

For you to make a credible claim that Meta is using your 2FA contact info for marketing, you've really got to be sure that it's 1) actually Meta contacting you and 2) that they got your phone number specifically from 2FA and not just from looking it up publicly the way salespeople do.

I have a feeling that Meta has some kind of internal system for slurping up everyone's contact info, and that some kind of bugs/criteria occasionally cross some streams.

Meta recruiting somehow got a hold of my name@amazon.com employer email -- which I have never posted publicly -- and started sending me recruitment emails to my work email. This struck me as incredibly unprofessional, though I understand it's almost certainly an automated system doing it.

I still don't know how they got the email address (though I guess it's just lastname+first initial, so they could have guessed?). I may have DM'd it to someone in a FB messenger chat? Maybe I used it in an "work email" field during sign up for some industry conference whose data later got hacked? A colleague accidentally merged their work/personal contact list and uploaded it somewhere? Who knows.

So meta engineers saw all those headlines about Twitter misusing 2FA phone numbers and instead of making sure it didn’t happen to them, kept them available to employees to “accidentally” use as well.

Oopsie daisy! Tee hee, it was an honest mistake because ${team} didn’t know they weren’t supposed to!

It's more likely that you gave your phone number out somewhere more sketchy. The personal email thing sounds like straight fraud.

As someone who works for Meta and and sees all the privacy trainings and the hoops you have to jump through to do anything with user data anymore at this company, someone is definitely getting fired for this if it was indeed Meta's fault and intentional.

Facebook is the absolute worst with this, Google second.

We spend >$10m on ads annually on FB, yet haven't had a dedicated account rep since 2019.

Instead, they farm out "account marketing specialists" who pitch you on giving up more control to FB algo and generally have significantly less insight and experience with FB ads than the people they are calling.

One week last summer, I received 8 calls in a single day from different FB marking reps. I think they had some kind of call queue system based on the number of ad accounts, instead of on "Business manager" accounts, but it took a lot of firmly saying "Remove me from this list" and accusing them of phishing to get it to stop.

I just assumed I gave my cell to FB at some point, never thought of 2FA.

Vote for candidates that support stronger consumer protection and data privacy laws. Do not give your personal information to companies that do not directly need it for the service you're engaging in. Delete your facebook accounts yesterday.

Services that require a phone number like twitter, discord, blizzard, signal, twitch, etc are giving you a heads up that they're abusive and will work against your interests. Stay far away.

This is why I really hate how the big players are gating user access through phone numbers and smartphones.

Even government portals are copying the tactic. (I didn't agree to a draconian ToS recently for an online fee filing, and it took months and hours on the phone just to make a simple VISA payment).

Facebook already used 2FA gathered numbers for ads in the past so I'm not sure why there is so much doubt in this story.

https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...

You should probably use an app like Aegis (Android) or Raivo (iOS) for two-factor authentication rather than your personal phone number.

Wouldn't be the first time this happened, but it's hard to verify this without any hard data. Follow up with Meta via your business account and ask them to explain or you'll go the FTC and press (me).

They already paid a multi billion dollar fine for misusing 2FA phone numbers and have insane process to prevent this specific scenario. Way more likely that OP put their phone number somewhere else.

Their year over year revenue fell in June. They are reporting revenue today after the close of trading, and the stock is currently down 5%: https://finance.yahoo.com/quote/META/?

So it may well be that they have bad news and are under pressure to say that they are trying to improve revenue.

Don't use your personal mobile phone for 2FA.

Use a "2FA Mule" that is only for that purpose:

https://kozubik.com/items/2famule/

I have the ringers silenced on mine so I wouldn't know if they got any spam calls ... and I assume they do ...

I have a bridge to sell anyone who actually believed companies requesting your phone number for "security" purposes wouldn't make that information available to the rest of their business activities.

Did not get a sales pitch, but added my phone number as 2FA a couple days ago and started receiving FB notifications via text msg. Despite having muted all FB notifications years ago.

Sounds like alarmist reaction without proper evidence.

How do you even know it is Meta? Anybody can get your phone #, and it is super easy to get spam.

Your anecdote isn't really evidence of anything and I'm skeptical that this is the case.

Gotta pump up the numbers before market close and earnings

Didn’t Twitter just get hit with fines for this?

Please stop using phones/sms as 2FA.