Pierluigi Paganini April 18, 2019

Facebook made the headlines once again for alleged violations of the privacy of its users, this time collecting contacts from 1.5 Million email accounts without permission.

New problems for Facebook, the company collected contacts from 1.5 Million email accounts without user’permission.

We recently read about an embarrassing incident involving the social network giant that asked some newly-registered users to provide the passwords to their email accounts to confirm their identity.

Some experts speculated that the social network giant was using the password to access the email accounts and collect their contacts.

New of the day is that Facebook admitted it was collecting email contacts of some of its users.

“Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts. Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network” reported the Business Insider.
“The Silicon Valley company said the contact data was “unintentionally uploaded to Facebook,” and it is now deleting them.”

Of course, Facebook declared that it has “unintentionally” uploaded email contacts from up to 1.5 million new users on its servers since May 2016, but the company was never authorized to do it and did not receive their consent.

This means that roughly 1.5 million users unintentionally shared passwords for their email accounts with the social network.

According to a Facebook spokesperson who spoke with Business Insider, the company was using harvested data to “build Facebook’s web of social connections and recommend friends to add.”

“At the time, it wasn’t clear what was happening — but on Wednesday, Facebook disclosed to Business Insider that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.” continues the Business Insider.

Facebook stopped using this email verification process a month ago, when a researcher using the pseudononymous of “e-sushi” noticed that the social network was asking some users to enter their email passwords when they signed up for new accounts.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” the spokesperson said in a statement.

“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

The list of incidents that involved the company in the last year is long. In April experts found 540 Million Facebook user records on unprotected Amazon S3 buckets.

In March 2019, Facebook admitted to having stored the passwords of hundreds of millions of users in plain text.

In October 2018, Facebook disclosed a severe security breach that allowed hackers to steal access tokens and access personal information from 29 million Facebook accounts.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]