Without permission, Facebook harvested 1.5 million email contacts


Over the course of three years, Facebook has “unintentionally” uploaded and saved email contact information from approximately 1.5 million users.

This problem came to light when a security researcher informed the social media giant of a controversial verification system implemented for certain users in which their email address credentials had been requested.

An unfortunate practice in itself, which Facebook claimed was in retrospect “not the best way” to verify, despite the company’s commitment to stop asking for this detail, the security implications were, seemingly, even deeper than first reported.

According to Business Insider, some users who tried to register for the first time would also see a popup message that told them that their email contacts were’ importing’ in order to create social connections.

To ask the key to a third-party domain checking account is bad enough and is not recommended for the sake of security. However, the collection–without consent–of contact data in these accounts is even worse.

A Facebook spokesperson has said that about 1.5 million users participated, which was first started in May 2016.

In the next few days, affected users will be notified and the social network actively removes their email contact information from internal systems. “Last month, when we registered for Facebook, we stopped offering email password verification as an option for people to verify their accounts,” the spokesman said. When we looked at the steps that people used to check their accounts, we found that in certain cases email contacts were also unintentionally uploaded to Facebook when they created their account.’

The Facebook representative added that the contacts were not shared and the “below problem” was fixed.

Since the 2018 Cambridge Analytica scandal which harvested data for approximately 87 million users for electoral profiling purposes, story by story has broken in relation to Facebook security problems and lackluster data protection practices.

Over the last couple of months, the social network has faced criticism of lax API control which has created  broad and loose system for user data sharing with other companies; a secret Facebook research system which has given teenagers extensive access to their mobile activity and surfing habits; and Facebook has allowed hundreds of millions of Facebook, Facebook Lite and Instagram credentials to be stored

However, in a more fun misfortune, the virtual reality arm Oculus of Facebook this week said it accidentally shipped controllers with easter egg messages like “Big Brother is looking at it.”

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.