Forum Discussion

alexm.565959's avatar
alexm.565959
Honored Guest
7 months ago

Meta SMS short code service compromised

I'm posting this here because it's related to all Meta services – including meta VR accounts – and I can't find another avenue to report this issue.

As I understand, Meta uses a short code number for 2FA that provides users with codes and/or links that are using to sign in to an associated account. The short code that I normally receive notifications from is 89854 and/or 39041. I recently sent "help" to the short code number 89854 in an attempt to see if more options for sign in would be provided.

To my surprise, I received the following response: "Facebook Alerts:Help? https://www.facebook.com/help or call 888510####. Msg freq may vary. Msg&data rates may apply. Reply STOP to end." While the link is valid and takes me to facebook.com, the number leads directly to a call center that attempted to sell me a number of services.

Depending on the time of day, it either directs me to a call center offering a fall detection service for seniors, or a 18+ call center offering phone sex. Regardless of the destination, this is unacceptable and seems like a huge liability.

The normal short code response to "help" is either to not send any response at all, or to send a link – no number included – directing a user to www.facebook.com/help. So, how hasn't this previously been discovered and fixed?

I'm attaching a screenshot of the message I received from your short code service. Please let me know if I can provide any more useful information.

7 Replies

  • KostiaG's avatar
    KostiaG
    Meta Employee
    7 months ago

    Hi alexm.565959,

    Thank you for bringing this to our attention. The usage of short codes in different countries may vary. Can you please also share your country and mobile operator name?

    • alexm.565959's avatar
      alexm.565959
      Honored Guest
      7 months ago

      I'm located in the USA with country code +1. I received this text using T-mobile on a Apple device. 

      Thanks for looking into this. Please keep me updated as I'm concerned that my access codes are compromised. 

    • Demon.Raizer's avatar
      Demon.Raizer
      Honored Guest
      7 months ago

      I just received a text message from the 89854 SMS code. 

      It stated:

      Kevin, get back on Facebook by clicking: https://fb.me/1MPydDpoZn3bH2n

      Furthermore, this was received to my number that's NOT even registered or associated with Facebook. 

  • KostiaG's avatar
    KostiaG
    Meta Employee
    7 months ago

    Hi alexm.565959,

    Thank you very much for the provided information and your patience!

    The phone number help option has been removed as irrelevant. May I ask you to perform a fresh test and let me know if it is fixed now?

  • kingstonista.2025's avatar
    kingstonista.2025
    Honored Guest
    6 months ago

    Hello, I also received a text from 89854 with a code to presumably reactivate my disabled Facebook account. I am in the U.S. Cricket service. 
    It has been a difficult process trying to regain access to my Facebook account of 16+ years. I would very much like to trust this code and try again to log in to my Facebook account but thought I should check here first to avoid another hack-in. Thank you for any assistance you can provide. 

    • Demon.Raizer's avatar
      Demon.Raizer
      Honored Guest
      6 months ago

      If you didn't initiate a code to be sent to your phone then do not trust it!

      In fact, on the other hand you should have other 2-factor authentication methods active, such as receiving a facebook app notification to approve a login. Or using an authentication token such as from the Authy app