Facebook seems to have a very tough time maintaining user integrity, as the company says that it unintentionally uploaded the email contacts of 1.5 million users. According to a report by Reuters, the tech giant uploaded 1.5 million new users since March 2016. This is just another in a row of “unintentional” personal information reveals that has happened in the last few years.
How did it happen? According to Reuters, new Facebook users were asked to verify their newly-made accounts via their email passwords. This strange process resulted in cases where email contacts of 1.5 million users got uploaded to Facebook.
“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we are deleting them,” Facebook told Reuters. The company added that all users who have had their email password compromised have been contacted so that they can change the password and secure their accounts.
Facebook also told Reuters that it will no longer offer email password verification for new users, and that the feature stopped last month.
Earlier this month, Business Insider reported on the issue, where new Facebook users were asked to share their email account passwords, which is a move with “concerning security implications,” it says in the report, adding that such a practice could make people become engaged in “risky” behaviors online.
Normally, security experts encourage users to never share passwords or enter them into any service or website other than the one they are intended for. Using different passwords for each account would prevent private information exposure via different cyber attacks such as “phishing attacks,” where users share their personal information thinking it’s a credible website, but it’s just a hacker’s mask for stealing information such as passwords, credit card numbers or PayPal.
With Facebook’s case, users who wanted to register with a specific email address including Yandex and GMX, would need to confirm their email address by entering the password directly into Facebook. The issue was initially discovered by Twitter user e-sushi, who shared his concerns.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you’re practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
Currently, it is difficult to trust Facebook, especially after the data scandal with Cambridge Analytica where 87 million Facebook users had their personal information compromised, as well as the huge data breach that took place last October.
Facebook has plans to merge its app trio Messenger, Instagram and WhatsApp, by making a unique infrastructure which would contribute to more usability as well as safety. Nevertheless, even the early attempts of merging were under fire due to data sharing between the three separate apps.