Facebook Harvested Users Email Contacts

Facebook scandals seem to be happening almost every week now! In this latest scandal, it was revealed that the social media giant has been caught collecting email contacts of their users.

How is this possible? you might ask in disbelief. A few weeks ago Facebook was caught asking new users for the password to their email account in order to verify their accounts. Facebook faced intense criticism from InfoSec professionals for this due to it breaking several security best practices.

A Facebook spokesperson said that the email passwords were not stored on Facebook servers, however, given Facebook’s history of mishandling of sensitive user data, users are right to be concerned.

Facebook also stated that only a small number of new users were prompted to provide their email password, specifically users who were signing up with email accounts that don’t support OAuth. OAuth is a widely accepted software that allows websites and services to share assets among users.

At the time of this scandal, it was suspected that Facebook may have used this access to email accounts to collect information about the users’ email contacts. This has now been confirmed by Facebook.

A Facebook spokesperson said:

Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,

We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.

Facebook seems to be experiencing crisis after crisis that is chipping away at users’ trust in the network. Facebook has often responded to these security failings by calling them a mistake and usually one that isn’t something to worry about.

After the Cambridge Analytica story broke, Zuckerberg said:

“I think life is about learning from the mistakes and about learning what you need to do to move forward,”

However, there are a growing number of people who believe these failures are not simple mistakes but rather intentional security negligence in order to harvest data.

In 2018 a controversial memo from Facebook Vice President Andrew Bosworth dating back to 2016 was released. This memo appeared to put the growth of Facebook and its goal in connecting people above all other concerns, including user security. In this memo, Bosworth talked of “questionable contact importing practices” suggesting that Facebook is very aware of the nature of their conduct.