Facebook 'unintentionally' harvested email contacts from 1.5M users
Facebook on Wednesday confirmed that it "unintentionally uploaded" the email contacts of some 1.5 million users without their express consent since May 2016, a mistake for which the company is taking steps to correct.
Source: Business Insider
A security researcher discovered the apparent error after finding Facebook requesting some users provide both an email and corresponding password to verify their identity when opening a new account, reports Business Insider.
Upon entering the information, the social network automatically imported contacts stored on an email provider's servers. The report suggests Facebook logged in to customer email accounts, pulled contact information and stored that data without first asking consent.
In a statement to the publication, Facebook said the email upload mechanism is a vestige of a bygone user experience feature. Prior to May 2016, a one-step sign-up process allowed users to both verify their identity and upload email contacts to the network. That service, along with text notifying users of the feature, were deprecated, but the automated contact upload function was not.
Facebook estimates up to 1.5 million users were impacted by the flaw.
"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," a spokesperson said. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account."
In confirming the error, Facebook noted no contacts were shared and that it is in the process of deleting the gathered information. Users whose contacts were imported are being informed of the error.
"We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings," the spokesperson said.
Today's revelation is only the latest in a string of user privacy-related snafus. The social network has been under intense scrutiny since the Cambridge Analytica fiasco, with subsequent investigative reports shedding light on the company's internal workings, from sloppy security policies to questionable data sharing practices.
Most recently, documents leaked from an ongoing court case show Facebook leveraged user data in dealings with partners, offering friends access to the information while withholding the same from perceived competitors.
Source: Business Insider
A security researcher discovered the apparent error after finding Facebook requesting some users provide both an email and corresponding password to verify their identity when opening a new account, reports Business Insider.
Upon entering the information, the social network automatically imported contacts stored on an email provider's servers. The report suggests Facebook logged in to customer email accounts, pulled contact information and stored that data without first asking consent.
In a statement to the publication, Facebook said the email upload mechanism is a vestige of a bygone user experience feature. Prior to May 2016, a one-step sign-up process allowed users to both verify their identity and upload email contacts to the network. That service, along with text notifying users of the feature, were deprecated, but the automated contact upload function was not.
Facebook estimates up to 1.5 million users were impacted by the flaw.
"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," a spokesperson said. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account."
In confirming the error, Facebook noted no contacts were shared and that it is in the process of deleting the gathered information. Users whose contacts were imported are being informed of the error.
"We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings," the spokesperson said.
Today's revelation is only the latest in a string of user privacy-related snafus. The social network has been under intense scrutiny since the Cambridge Analytica fiasco, with subsequent investigative reports shedding light on the company's internal workings, from sloppy security policies to questionable data sharing practices.
Most recently, documents leaked from an ongoing court case show Facebook leveraged user data in dealings with partners, offering friends access to the information while withholding the same from perceived competitors.
Comments
So to be clear, Facebook dumps resources into new privacy destroying features but can’t be bothered with appropriate asset retirement.
I work in cyber security and Facebook’s platform cannot be secure with legacy assets in play. I would expect a serious hacking incident soon, as their attack surface is not properly managed. The very best cyber security software cannot protect against ignorance and poor implementation.
This might sound like common sense; do not but private things on Facebook, do not connect any financials, do not use the Sign in with Facebook option, and do not underestimate Facebook’s deplorable track record.
How many more issues need to occur until justice systems get involved?
So, potentially, Facebook has data on me, compiled from multiple sources, that can be leaked or hacked or whatever and Facebook didn’t get it from me nor did I give them consent to use/collect it.
Let’s not forget that Facebook also tracks people around the internet and their physical location as well. That certainly isn’t data that users post.
I do laugh, though, when I remember a few years ago the outrage that ensued when it was discovered that people’s iPhones kept map of where they had been in a hundred mile radius. Turned out it was to more quickly join Wi-Fi networks, if I recall correctly, and was data that stayed on the iPhone. I had several friends who were “upset” to find that out. But none of them seem to give a shit that Facebook records their physical location all the time and not for something as simple as connecting to Wi-Fi. Double standard much, people?
Sorry, but that's a naive view of what data FB has.