Facebook appears to be creating fake accounts on Discourse forums

An interesting discovery on this forum prompted me to check my own Discourse instance, and sure enough, I have a “tfbnw” user too:

I have two theories. Either:

  • Facebook is monitoring sites that use Facebook Login / API for breaches of Facebook Developer T&Cs
  • Facebook is creating accounts using unique emails addresses and then monitoring the web (and maybe the dark web) to see if those email addresses show up in any breach databases, in order to identify third party sites with poor security

Sounds like it’s a test account that’s automatically created when you integrate with Facebook?

If you check your app dashboard are you able to see a test user?


I guess otherwise it would be Facebook QA, we know they do check apps occasionally because we’ve had instances where integration was denied for incorrect Facebook branding.

Extreme option: you could ban the domain from registering for accounts and see what happens. Though if maintaining Facebook login is critical you might not want to, because they could disable your account (I’d expect a warning first, but you never know)?