Earlier this week, Australian developer Chris Lacy tweeted about a curious experience while logging into a rarely used Google account. When Google texted his two-factor authentication code, the message popped up along with an ad including a link for VPN services. Considering the downsides of phishing or malware distribution attached to a code that’s specifically intended to keep your account secure, this didn’t go over well.

While Lacy did not name the carrier who delivered the text, Google Identity and Security senior director Mark Risher clarified that the ad didn’t come from his company.

Google’s official statement on the matter is that “These are not our ads and we are currently working with the wireless carrier to understand why this happened.” The Messages app on Android didn’t display a preview, flagging it as possible spam, but it’s a less than ideal implementation of two-factor authentication.

9to5Google points out that at least in some countries, Google uses Verified SMS to authenticate and secure messages, but it’s not clear if that would be possible here. I’ve never seen any spam attached to verification on texts, but until RCS and end-to-end encryption are widespread, it’s just one more reason to opt for code generators, hardware keys, or push notifications for login security instead of a text.