Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Failing to log in to deactivated Facebook account has reactivated it
107 points by J-dawg on March 27, 2018 | hide | past | favorite | 20 comments
I 'left' Facebook a couple of years ago, but only deactivated my profile at the time. Today I decided to delete it fully. Maybe I'm jumping on the bandwagon, but whatever, I've been meaning to do it for a while.

I went to log in but had forgotten that I used to use the Facebook app for 2-factor auth. I've also changed my phone number so I couldn't receive a code via SMS. I do have the recovery codes [0] from when I set up 2-factor auth, but cannot find any part of the login process that will accept a recovery code.

I then received an email from Facebook saying "Welcome Back to Facebook", telling me my account has been reactivated! Despite the fact that I never successfully logged in to my account. So apparently my profile is now back out there on Facebook, and there's nothing I can do about it until I (somehow) gain access to the account.

There seem to be two huge flaws here:

1. Why can't I log into my 2-factor protected account using saved recovery codes? That's what they're there for. (if anyone knows how to do this, please share!)

2. It seems anyone can reactivate a deactivated Facebook account by simply attempting to log in? EDIT: Perhaps it reactivated because I gave a correct username and password, but it still shouldn't do this until after the 2FA step

This seems like yet another dark UX pattern / security flaw from Facebook.

Just another reason to #deleteFacebook... (if only I could)

[0] https://www.facebook.com/help/www/148104135383285?helpref=faq_content&rdrhc

Presumably it reactivated because you got the correct username and password?

Don't get me wrong the reactivation step should be after the 2FA step but I can see how this happened, feels like it's a Hanlon's razor situation.

It would need testing again if an attempt with an incorrect password reactivated the account

Yeah, now you mention it, it may have reactivated after I gave the correct username and password, but before the 2FA step.

I still think it's insane that you can reactivate an account without actually gaining access to it.

I deactivated my account. Facebook sent me a "Come back to Facebook" SMS. I replied with "No" and it reactivated my account and posted a global viewable "No" to my feed.

By me stating my displeasure, they got an MAU. Great.

Ugh. Did you go back later and delete it fully?

March 31st is my delete day :)

Hi, I’m Sophie and I work at Facebook.

The behavior here was not intentional, and we deployed a fix today so that a login that fails 2FA (even with a correct password) will not result in the reactivation of a deactivated account.

Thanks for noticing this bug and posting!

Thanks. I'm not the greatest fan of your employer/product but it's great that you are responsive to stuff like this.

Out of curiosity, is the inability to log in with recovery codes also a bug? The help page I linked to explains the process for getting recovery codes, but when I was attempting to log in I couldn't find any option to actually use one. The 2FA input wouldn't accept an 8 digit code. Maybe I was missing something obvious.

Perhaps this is something that only happens with deactivated accounts? (Although people with deactivated accounts are arguably the group most likely to need recovery codes).

The usual 2FA input should work. Do you mind mailing me (username sophiebits, domain fb.com) your email or a link to your FB profile so I can have someone look into this? A screenshot of the input field that you see would also be helpful.

I have now requested to delete the profile and entered the 14 day waiting period so I'm not really minded to reactivate it just to investigate this, sorry!

Thanks again for getting in touch.

To me, this sounds really nasty. But it's not something I'd be shocked about, because it's Facebook. Please document this in detail in a blog post or somewhere, and then share it around through (obviously, non-Facebook channels) Twitter and other platforms. Maybe some journalists would be interested in covering this too.

Someone long time ago registered an facebook account for my email. I've reset password and, what I though, deleted the account, but it never expired because someone was trying to login and reset passwords again and again and again. So yep, it's kind of known behavior for many years.

I asked, pleaded, begged and demanded Spotify to dissociate my Facebook account, and even though they claim they did, when I log into Spotify with a username and password, I'll get an email within a few seconds "Welcome back to Facebook".

Absolutely maddening.

While not ideal, you should be able to go into facebook, revoke Spotify's access and then deactivate your facebook account again.

Yeah reactivating just requires 1 login, I've done it a few times. Sometimes it asks you to point out a few friends in a bunch of pictures.

The fact that your failed login reactivated your account is kinda scary. Anyone could just try to login with your e-mail address and your account would be reactivated ?

Only if they also know his password.

There are two options on facebook, I think if you deactivate then if you ever login to facebook, then profile is back. The other option is to delete the account in which you have to wait for 14 days without logging in. My account got deleted successfully some days back.

Out of curiosity, why don't you think you can delete Facebook? I have a few friends whose jobs are in new media spaces and have thrown out a couple reasons off the cuff. After talking through those scenarios though, we concluded it's entirely reasonable and practical to delete their Facebook accounts, and it wouldn't negatively impact their livelihood as much as they originally thought.

The point of my post is that I literally can't delete Facebook right now because I'm locked out of my account. I'm not one of those people who thinks I can't live without it, my account has already been deactivated for around 2 years.

The main thing I am complaining about is that I think it's appalling that my account can be reactivated without actually giving me access to the account.

I have submitted a support request and will be deleting Facebook as soon as I get access to the account!

OP can't delete it because they can't log in, as they explain in the post.

How is your comment relevant to this post? OP said s/he wants to delete facebook but failed to do so.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact