Facebook has done it again. This time the social media giant says they ‘accidentally’ uploaded the email contacts of 1.5 million users without their knowledge or consent.
According to Business Insider, Facebook collected the data when new users were opening their accounts. The shocking news was revealed when a security researcher who uses the twitter handle ‘e-sushi’ noticed that Facebook was asking users to confirm their private email password to verify their identity.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l— e-sushi (@originalesushi) March 31, 2019
In a series of Tweets, e-sushi explained how the request was the only way that Facebook was offering to verify his password and that the link that offered to explain more about the method of verification was broken.
Business Insider tested the process and found that if you did enter your email password a message from Facebook appeared saying it was "importing" your contacts without asking for permission first.
#Facebook: “We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”— e-sushi (@originalesushi) April 3, 2019
Guess that's a #MissionComplete. ?
Stay safe y'all and remember to never share your secrets with any 3rd party… ever.https://t.co/u0b7bCcuej
Facebook admits to uploading contacts
At the time it seemed like this was just another way for Facebook to know literally every single thing about you. But then on Wednesday Facebook admitted to Business Insider that 1.5 million people's contacts were collected via this verification method. This data was then used to improve Facebook's ad targeting, as well as narrow down the recommend friends to add.
Facebook promises they weren't actually entering people’s email but that they were definitely accessing contact lists. These lists can be highly personal and reveal when and who you are in contact with.
The number of users Facebook has revealed it access contact information from stands at 1.5 million, but the actual number of the email address they obtained this way could be in the hundreds of millions as each user could potentially have hundreds of contacts related to their address.
Hundreds of millions possibly affected
Facebook has not confirmed how many email address it now has access to. Both e-sushi and Business Insider noticed that there was no way out of the verification process once you had begun. After entering your password a ‘contacts importing’ message appeared with no way to stop or pause the operation.
Facebook has now changed the way it verifies new accounts. This is just the latest in a long series of data breaches and missteps by the Silicon Valley-based company. Facebook has indicated it will inform the 1.5 million users affected and delete their contacts from the company's systems.
"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account," the spokesperson said in a statement.
"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone, and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."