Facebook abuses phone numbers users enter to receive a text message for two-factor authentication, to send spam. Replies to that SMS spam also automatically end up as posts on user accounts.
It is unclear whether these are bugs or features, reports The Verge. Users noticed reported this week that after signing up for two-factor authentication, they received SMS spam with notifications from Facebook. The content of this, like the emails Facebook sends to users, is that one contact has responded to another contact and is intended to get users more to Facebook.
Anyone who replies to the text message that the spam must stop will see that this answer automatically appears as a post on the account. Facebook has a feature to post via SMS, but that requires users to turn it on first and then send a confirmation SMS.
The Verge points out that misuse of two-factor authentication phone number for other purposes could have legal consequences. Facebook only says in a statement that it is looking at the situation and has not yet commented on the complaints.