Tell HN: Failing to log in to deactivated Facebook account has reactivated it
I went to log in but had forgotten that I used to use the Facebook app for 2-factor auth. I've also changed my phone number so I couldn't receive a code via SMS. I do have the recovery codes [0] from when I set up 2-factor auth, but cannot find any part of the login process that will accept a recovery code.
I then received an email from Facebook saying "Welcome Back to Facebook", telling me my account has been reactivated! Despite the fact that I never successfully logged in to my account. So apparently my profile is now back out there on Facebook, and there's nothing I can do about it until I (somehow) gain access to the account.
There seem to be two huge flaws here:
1. Why can't I log into my 2-factor protected account using saved recovery codes? That's what they're there for. (if anyone knows how to do this, please share!)
2. It seems anyone can reactivate a deactivated Facebook account by simply attempting to log in? EDIT: Perhaps it reactivated because I gave a correct username and password, but it still shouldn't do this until after the 2FA step
This seems like yet another dark UX pattern / security flaw from Facebook.
Just another reason to #deleteFacebook... (if only I could)
[0] https://www.facebook.com/help/www/148104135383285?helpref=faq_content&rdrhc
20 comments
[ 4.0 ms ] story [ 58.1 ms ] threadThe fact that your failed login reactivated your account is kinda scary. Anyone could just try to login with your e-mail address and your account would be reactivated ?
Don't get me wrong the reactivation step should be after the 2FA step but I can see how this happened, feels like it's a Hanlon's razor situation.
It would need testing again if an attempt with an incorrect password reactivated the account
I still think it's insane that you can reactivate an account without actually gaining access to it.
By me stating my displeasure, they got an MAU. Great.
The main thing I am complaining about is that I think it's appalling that my account can be reactivated without actually giving me access to the account.
I have submitted a support request and will be deleting Facebook as soon as I get access to the account!
Absolutely maddening.
The behavior here was not intentional, and we deployed a fix today so that a login that fails 2FA (even with a correct password) will not result in the reactivation of a deactivated account.
Thanks for noticing this bug and posting!
Out of curiosity, is the inability to log in with recovery codes also a bug? The help page I linked to explains the process for getting recovery codes, but when I was attempting to log in I couldn't find any option to actually use one. The 2FA input wouldn't accept an 8 digit code. Maybe I was missing something obvious.
Perhaps this is something that only happens with deactivated accounts? (Although people with deactivated accounts are arguably the group most likely to need recovery codes).
Thanks again for getting in touch.