
Tell HN: Failing to log in to deactivated Facebook account has reactivated it - J-dawg
I &#x27;left&#x27; Facebook a couple of years ago, but only deactivated my profile at the time. Today I decided to delete it fully. Maybe I&#x27;m jumping on the bandwagon, but whatever, I&#x27;ve been meaning to do it for a while.<p>I went to log in but had forgotten that I used to use the Facebook app for 2-factor auth. I&#x27;ve also changed my phone number so I couldn&#x27;t receive a code via SMS. I do have the recovery codes [0] from when I set up 2-factor auth, but cannot find any part of the login process that will accept a recovery code.<p>I then received an email from Facebook saying &quot;Welcome Back to Facebook&quot;, telling me my account has been reactivated! Despite the fact that I never successfully logged in to my account. So apparently my profile is now back out there on Facebook, and there&#x27;s nothing I can do about it until I (somehow) gain access to the account.<p>There seem to be two huge flaws here:<p>1. Why can&#x27;t I log into my 2-factor protected account using saved recovery codes? That&#x27;s what they&#x27;re there for. (if anyone knows how to do this, please share!)<p>2. It seems anyone can reactivate a deactivated Facebook account by simply attempting to log in? <i>EDIT: Perhaps it reactivated because I gave a correct username and password, but it still shouldn&#x27;t do this until after the 2FA step</i><p>This seems like yet another dark UX pattern &#x2F; security flaw from Facebook.<p>Just another reason to #deleteFacebook... (if only I could)<p>[0] https:&#x2F;&#x2F;www.facebook.com&#x2F;help&#x2F;www&#x2F;148104135383285?helpref=faq_content&amp;rdrhc
======
corobo
Presumably it reactivated because you got the correct username _and password_?

Don't get me wrong the reactivation step should be after the 2FA step but I
can see how this happened, feels like it's a Hanlon's razor situation.

It would need testing again if an attempt with an incorrect password
reactivated the account

~~~
J-dawg
Yeah, now you mention it, it may have reactivated after I gave the correct
username and password, but before the 2FA step.

I still think it's insane that you can reactivate an account without actually
gaining access to it.

~~~
tzakrajs
I deactivated my account. Facebook sent me a "Come back to Facebook" SMS. I
replied with "No" and it reactivated my account and posted a global viewable
"No" to my feed.

By me stating my displeasure, they got an MAU. Great.

~~~
J-dawg
Ugh. Did you go back later and delete it fully?

~~~
tzakrajs
March 31st is my delete day :)

------
spicyj
Hi, I’m Sophie and I work at Facebook.

The behavior here was not intentional, and we deployed a fix today so that a
login that fails 2FA (even with a correct password) will not result in the
reactivation of a deactivated account.

Thanks for noticing this bug and posting!

~~~
J-dawg
Thanks. I'm not the greatest fan of your employer/product but it's great that
you are responsive to stuff like this.

Out of curiosity, is the inability to log in with recovery codes also a bug?
The help page I linked to explains the process for _getting_ recovery codes,
but when I was attempting to log in I couldn't find any option to actually use
one. The 2FA input wouldn't accept an 8 digit code. Maybe I was missing
something obvious.

Perhaps this is something that only happens with deactivated accounts?
(Although people with deactivated accounts are arguably the group most likely
to _need_ recovery codes).

~~~
spicyj
The usual 2FA input should work. Do you mind mailing me (username sophiebits,
domain fb.com) your email or a link to your FB profile so I can have someone
look into this? A screenshot of the input field that you see would also be
helpful.

~~~
J-dawg
I have now requested to delete the profile and entered the 14 day waiting
period so I'm not really minded to reactivate it just to investigate this,
sorry!

Thanks again for getting in touch.

------
newscracker
To me, this sounds really nasty. But it's not something I'd be shocked about,
because it's Facebook. Please document this in detail in a blog post or
somewhere, and then share it around through (obviously, non-Facebook channels)
Twitter and other platforms. Maybe some journalists would be interested in
covering this too.

------
sashk
Someone long time ago registered an facebook account for my email. I've reset
password and, what I though, deleted the account, but it never expired because
someone was trying to login and reset passwords again and again and again. So
yep, it's kind of known behavior for many years.

------
whistlerbrk
I asked, pleaded, begged and demanded Spotify to dissociate my Facebook
account, and even though they claim they did, when I log into Spotify with a
username and password, I'll get an email within a few seconds "Welcome back to
Facebook".

Absolutely maddening.

~~~
rando444
While not ideal, you should be able to go into facebook, revoke Spotify's
access and then deactivate your facebook account again.

------
janlaureys
Yeah reactivating just requires 1 login, I've done it a few times. Sometimes
it asks you to point out a few friends in a bunch of pictures.

The fact that your failed login reactivated your account is kinda scary.
Anyone could just try to login with your e-mail address and your account would
be reactivated ?

~~~
DangerousPie
Only if they also know his password.

------
ankothari
There are two options on facebook, I think if you deactivate then if you ever
login to facebook, then profile is back. The other option is to delete the
account in which you have to wait for 14 days without logging in. My account
got deleted successfully some days back.

------
amsheehan
Out of curiosity, why don't you think you can delete Facebook? I have a few
friends whose jobs are in new media spaces and have thrown out a couple
reasons off the cuff. After talking through those scenarios though, we
concluded it's entirely reasonable and practical to delete their Facebook
accounts, and it wouldn't negatively impact their livelihood as much as they
originally thought.

~~~
J-dawg
The point of my post is that I literally _can 't_ delete Facebook right now
because I'm locked out of my account. I'm not one of those people who thinks I
can't live without it, my account has already been deactivated for around 2
years.

The main thing I am complaining about is that I think it's appalling that my
account can be reactivated without actually giving me access to the account.

I have submitted a support request and will be deleting Facebook as soon as I
get access to the account!

