Facebook under investigation for harvesting 1.5 million email accounts
Facebook is under investigation for using a questionable account verification method to gain access to email accounts in order to harvest email addresses.
Facebook, as a social networking platform, has demonstrated time and time again that it is not to be trusted with your sensitive information.
In only the last few years, the company has allowed anyone to pair a user’s phone number with their name and Facebook profile, they’ve been caught misusing phone numbers provided exclusively for security purposes to try and make social connections, they’ve allowed data harvesting companies to collect private information of their users via Facebook apps in order to expose them to political ads, and they’ve also been accused of storing millions of user’s passwords in plaintext.
And none of that is to mention the plethora of scam adverts that frequently appear on their sponsored adverts platform.
The latest demonstration of Facebook’s cavalier attitude to privacy has revealed that the social networking site was snooping around a user’s email contact book without their permission and importing their email contacts.
Sponsored Content. Continued below...
But how?
New Facebook user’s creating an account after May 2016 may have been asked to verify their email address by giving Facebook the password for their email account, which replaced the more traditional method of sending a verification email to the user with a link to click on. See the embedded tweet below.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
Asking for the password for an email account is a terrible method from a cyber-security point of view, especially since it involves giving sensitive information to a website notorious for various privacy snafus. We’re always told not to give out our passwords to anyone except the website for which they are for. And here is Facebook asking for passwords belonging to another service.
Sponsored Content. Continued below...
As it turns out, not only were Facebook asking for the email password so a new user could verify their account, but once in possession of that password, Facebook were accessing the email account and importing over its email contact address book. All without the email account owner’s permission.
That’s not good. And according to sources, Facebook may have done this to over 1.5 million Facebook users. If, for example, each of those 1.5 million users had 50 people in their email contact book, that’s 75 million emails Facebook has obtained in order to build what is calls “social connections” as well as improve its ad targeting.
Facebook has said it no longer asks users to verify new accounts with their email password, and the New York Attorney General’s office has said it plans to investigate the incident to see if any privacy laws have been broken.