For such an allegedly smart company, Facebook doesn’t half do some dumb things.
Kudos to the team at Business Insider who were as bewildered as the rest of us as to why Facebook was asking some users to hand over the password of their email account, but also noted that the site appeared to then be scooping up users’ address books without requesting prior permission.
As security-savvy folks around the world reacted with a mixture of shocked headlines and shrugs of resignation (this was Facebook, after all), the social network said that it would be discontinuing the feature.
Business Insider, however, went one step further and asked Facebook just how many users had their email contacts uploaded through the mechanism.
Facebook’s response to the question from Business Insider is rather shocking – up to 1.5 million users.
“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”
Considering how many names and addresses the typical person has in their email address book, that could mean that Facebook stole (Yes, it was stealing. They didn’t have permission) the contact details of hundreds of millions of people.
I wonder how the authorities and regulators might view Facebook’s lax behaviour around its users’ private data. And I wonder if Facebook would even have admitted the details of what happened if they hadn’t been pressed by journalists.
And if Facebook can “unintentionally” make a huge mistake like this, I wonder what other unintentional boo-boos it can make.
And how much longer people will put up with it.
Remember, if security researchers and journalists hadn’t pointed out this problem, Facebook would still be doing it. Who wants to make a bet as to when the next Facebook privacy scandal pops up?
We put together a “Smashing Security” podcast where we describe how to quit Facebook and offer some techniques for people who are fearful of going cold turkey.
Smashing Security #75: 'Quitting Facebook'
Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.