Facebook harvested 1.5 million emails from newly registered users

Facebook admits recording and storing newly-registered users' email details without their consent since 2016

Facebook illegally harvested registering users' email credentials since 2016

Another day, another Facebook scandal. This time, it came to light that the industry giant was recording email addresses of some users who registered during the past three years, starting from May 2016.

As independent security researcher e-sushi explained^[1] in his Twitter post back in March, Facebook was asking its new users to verify the email address, which also included providing the password for the email account. This being a shady verification practice already, Business Insider now concluded that the process was “importing” the data, without users having a possibility to opt out.^[2]

In response, Facebook said that it “unintentionally” obtained the sensitive data of 1.5 million users due to shady practice that continued for almost three years. The spokeswoman also said that the practice had stopped last month:

Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.

The password-harvesting practice is very unusual

All internet users created online accounts before, and they should be used to the fact that they are asked to provide the email for verification purposes. As soon as they enter the address, they receive the link, which, when clicked redirects to account verification page, confirming that the email address and finalizing the registration process.

However, Facebook took a completely different approach to this practice. “To continue using Facebook, you’ll need to confirm your email address” – a standard sentence followed by an unusual request to provide the password of the email account.

While Facebook confirmed that 1.5 million people were affected by this, the real number of the impact might reach hundreds of millions, as, by obtaining the access to users' email accounts, Facebook can also reach everyone stored on the contact lists.

Facebook data breach scandals do not seem to cease

Since Cambridge Analytica scandal broke down over a year ago when Facebook revealed that it illegally stole personal information of as many as 87 million users,^[3] there have been numerous other incidents involving the social media giant, as it launched extensive investigation concerning the company's data protection practices.

Silicon Valley company recently came under fire when it turned out it stored hundreds of millions of Facebook user details on Amazon server.^[4] Just before that, it was also revealed that the industry giant was saving millions of users' passwords in plain text since 2012.^[5]

This time, Facebook plans to contact every single individual that was affected by the issue. The company also said that it would delete all the data that was harvested during the past three years. In the meantime, the industry giant's spokesperson said that the illegally obtained credentials were not exposed to any malicious parties:

We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings

While, once again, Facebook representatives reassure users, one might start asking “When are you going to secure our data properly?” On the other hand, these scandals might prompt users to think twice before putting up personal information on social media.

Privacy is currently an important concern to many, not only security experts, as excessive spying on users to acquire more profit became a real problem worldwide.