Shortly after Facebook announced it would stop the asking new users to share passwords to their e-mail accounts, the company has said that email contacts of up to 1.5 million people were imported inadvertently and that it is deleting them at the earliest.
Earlier this month, it came to light that Facebook was demanding new users to share their e-mail passwords to continue using the platform, prompting the company to announce that it will stop asking new users to share passwords to their e-mail accounts as part of the company's user verification process.
"We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it," said a company spokesperson.
Earlier today, Facebook announced that it had "unintentionally uploaded to Facebook" the email contacts of up to 1.5 million people and this was realised when it looked into the steps people were going through to verify their accounts.
"When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people’s email contacts may have been uploaded," said a Facebook spokesperson.
"These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings," the spokesperson added.
"This news illustrates how easy it is for any company—not just Facebook—to skip asking for consent when harvesting personal data like your contacts. Consumers need to be vigilant but also need a basic set of online rights," says Brian Vecci, Field CTO of Varonis.
"Companies shouldn’t be able to grab your entire social network through your contact list without express permission, and companies like Facebook need to face penalties when they do it. Without basic consumer protections that lead to real penalties, this kind of thing will continue to happen," he adds.
Data security practices of Facebook need greater scrutiny
While Facebook has done well to admit that it was in possession of email contacts of over 1.5 million people and is taking steps to delete them as they were obtained without consent, it was not so upfront about the fact that passwords of between 200 million and 600 million of its users were stored in plain text on internal servers for years and were accessible to over 20,000 Facebook employees.
This was revealed after a senior Facebook employee told KrebsOnSecurity that around 2,000 developers or engineers "made approximately nine million internal queries for data elements that contained plain text user passwords".
Only after this fact was revealed by KrebsOnSecurity, Facebook came forward to state that it had discovered the storage of user passwords in plain text during a security review in January this year and that it found no evidence of anyone improperly accessing or internally abusing such passwords.
"Facebook Privacy is an oxymoron and the gift that keeps on giving. In the wake of reports that Facebook uploaded contacts of more than 1 million users, and the face-palm of flat files containing users passwords in cleartext, we now have Facebook user-related information seeping into everything," said Sam Curry, chief security officer at Cybereason.
"Data in general is much like water in how it flows, building like an inexorable wave. Privacy data is even more like water in how it can corrode trust and erode even the mightiest digital giant. It’s beyond time for Facebook to have a plan and to be held accountable to it, and a clear message should echoing in all the super aggregator board rooms: get serious about privacy or face existential accountability.
"Next steps for Facebook needs to make privacy a core value right now. Long overdue is Facebook bringing in independent advisors, observers and thought leaders to offer a fresh perspective and an opportunity to answer the tough questions," he added.