Facebook “unintentionally” uploaded 1.5 million users’ email contacts without their consent, left millions of Instagram users’ passwords unsecured
Ever since the world’s biggest social media company, Facebook, had its reputation blown up by the Cambridge Analytica data harvesting scandal, it has been promising to avoid similar incidences. While on one hand, it has improved efforts to ensure more transparency to users, the company has not had much success in ensuring basic security for their data. After it admitted to its folly of storing hundreds of millions of passwords in an easily readable format, the social media giant has now tried to inform users of another naivety. Since 2016, Facebook has harvested the email IDs of 1.5 million new users but says that it did so “unintentionally.”
Business Insider recently uncovered that over the last three years, Facebook has uploaded the contacts associated with the email IDs of at least 1.5 million new users without their permission. Of late, Facebook had demanded users to share the password to the email used for signing up, offering an easy and automatic method to verify their emails. This is how it actually misused its privileges and the users’ trust. The report claims that not only did Facebook access email accounts on users’ behalf but it also imported their email contacts without seeking any permission and stored this data on its servers.
The contacts stored by Facebook were also harvested to suggest friends, improve ad targetting, and build upon “Facebook’s web of social connections.” Responding to this, a spokesperson told Business Insider that these contacts were “unintentionally uploaded to Facebook,” and assured that the data is now being deleted.
Until May 2016, users had manual control over whether they wanted to sync their email contacts with Facebook. The feature was then automated for users verifying their Facebook accounts directly but the text meant to inform them was removed. So while 1.5 million is the number of accounts whose data was harvested, the actual number of email IDs obtained by Facebook could have been much larger.
Business Insider went ahead to demonstrate how the feature works. When a user enters the password to their email IDs and clicks on the connect button, a new dialog box labeled “Importing contacts” pops up. There is no button to cancel the process and presumably, killing the tab won’t do any good since Facebook already has access to your email account.
The company reportedly “stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time” after a security researcher who goes by the alias of “e-sushi” pointed out the flaw. Facebook also claims that private conversations of users were not read and promised that it will inform all of the users whose emails were harvested.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
Unprotected Instagram passwords
Last month, it was revealed that the passwords of 200-600 million Facebook Lite users were stored without any encryption on the company’s servers, easily available to 20,000 employees. Now, a similar issue seems to have plagued “millions” of Instagram accounts as well. Updating the previous blog, Facebook’s VP of security and privacy, Pedro Canahuati, noted that an additional log of millions of Instagram passwords stored in a readable format was discovered by the company’s research team.
He also wrote that the company will be notifying users whose passwords were stored without any encryption. However, it continued to hum the same tune of defiance, ensuring that these passwords were not accessed or abused improperly.