Facebook to stop asking new users to share their e-mail passwords

Facebook to stop asking new users to share their e-mail passwords

Irish Data Protection Commission to investigate Facebook's password storage fiasco

Facebook has confirmed it will stop asking new users to share passwords to their e-mail accounts that was part of the company's user verification process after security experts warned that the process could result in a privacy nightmare.

The fact that Facebook was demanding new users to share their e-mail passwords to continue using the platform didn't gain widespread attention until a Twitter user shared a screenshot of Facebook making the demand on its official website recently.

"Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know!," wrote a Twitter user named e-sushi.

Facebook employees could view user passwords in plain text

This, even after passwords of between 200 million and 600 million Facebook users were found to be stored in plain text on internal Facebook servers for years and could be viewed by up to 20,000 Facebook employees anytime they wanted. In fact, around 2,000 developers or engineers "made approximately nine million internal queries for data elements that contained plain text user passwords", according to an internal Facebook source.

"To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity," the company said.

While it remains to be seen how Facebook stored or processed e-mail passwords that it obtained from newly-registered users to its platform, the company has apologised for using this method to verify users and has promised to stop using it anymore.

"We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it," said a company spokesperson.

"I'ld like to thank everyone who pushed that "#Facebook email provider password no-go" into the appropriate spotlight. Without the help of my followers and related press articles (starting with @thedailybeast), Facebook would most probably just have shrugged and continued its act," e-sushi added in a separate tweet.

Facebook allowed advertisers to look up users' profiles using phone numbers

This isn't the only unthinkable road Facebook has taken in the recent past to gain access to more user information than it probably needs or is allowed to take or share.

Recently, Jeremy Burge, Chief Emoji Officer at Emojipedia, noted that Facebook is also using people's phone numbers to allow advertisers to find people on Facebook by typing in phone numbers. This feature is marked as "everyone" by default which means that unless a Facebook user changes who can search his/her profile on Facebook using a phone number, anyone on Facebook can look up his/her profile on Facebook.

Burge added that even if Facebook users do not provide their phone numbers to the social media giant to activate two-factor authentication, there's a chance that Facebook already has their phone numbers thanks to an integration with WhatsApp, Facebook Messenger, and Instagram.

"*Not* giving your phone number to FB is a borderline pointless: they have it anyway. If any of your friends accepts to Messenger or WhatsApp accessing their contacts, Facebook knows your number, no matter what you do. When opening Facebook Messenger for the first time, the default action to create a new account is no longer email or username; it’s phone number. The holy grail. The unique ID," he said.

ALSO READ: Bug in Facebook's photos API exposed photos of up to 6.8m users

Copyright Lyonsdown Limited 2021

Top Articles

Overcoming the security challenge in remote working environments

The pandemic has changed the way we work. Remote working is no longer a nice-to-have for organisations, but a necessity especially if they want to attract the best talent.

President Biden pens Executive Order to boost US cybersecurity

US President Joe Biden signed an Executive Order this week to boost the cyber security of federal government systems and data.

DarkSide ransomware gang shuts shop following 'law enforcement request'

The DarkSide ransomware group has announced it is shutting shop as its servers and cryptocurrency accounts were allegedly seized "at the request of law enforcement agencies."

Related Articles