Facebook has confirmed it will stop asking new users to share passwords to their e-mail accounts that was part of the company’s user verification process after security experts warned that the process could result in a privacy nightmare.
The fact that Facebook was demanding new users to share their e-mail passwords to continue using the platform didn’t gain widespread attention until a Twitter user shared a screenshot of Facebook making the demand on its official website recently.
“Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you’re practically fishing for passwords you are not supposed to know!,” wrote a Twitter user named e-sushi.
Facebook employees could view user passwords in plain text
This, even after passwords of between 200 million and 600 million Facebook users were found to be stored in plain text on internal Facebook servers for years and could be viewed by up to 20,000 Facebook employees anytime they wanted. In fact, around 2,000 developers or engineers “made approximately nine million internal queries for data elements that contained plain text user passwords”, according to an internal Facebook source.
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity,” the company said.
While it remains to be seen how Facebook stored or processed e-mail passwords that it obtained from newly-registered users to its platform, the company has apologised for using this method to verify users and has promised to stop using it anymore.
“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” said a company spokesperson.
“I’ld like to thank everyone who pushed that “#Facebook email provider password no-go” into the appropriate spotlight. Without the help of my followers and related press articles (starting with @thedailybeast), Facebook would most probably just have shrugged and continued its act,” e-sushi added in a separate tweet.
Facebook allowed advertisers to look up users’ profiles using phone numbers
This isn’t the only unthinkable road Facebook has taken in the recent past to gain access to more user information than it probably needs or is allowed to take or share.
Recently, Jeremy Burge, Chief Emoji Officer at Emojipedia, noted that Facebook is also using people’s phone numbers to allow advertisers to find people on Facebook by typing in phone numbers. This feature is marked as “everyone” by default which means that unless a Facebook user changes who can search his/her profile on Facebook using a phone number, anyone on Facebook can look up his/her profile on Facebook.
Burge added that even if Facebook users do not provide their phone numbers to the social media giant to activate two-factor authentication, there’s a chance that Facebook already has their phone numbers thanks to an integration with WhatsApp, Facebook Messenger, and Instagram.
“*Not* giving your phone number to FB is a borderline pointless: they have it anyway. If any of your friends accepts to Messenger or WhatsApp accessing their contacts, Facebook knows your number, no matter what you do. When opening Facebook Messenger for the first time, the default action to create a new account is no longer email or username; it’s phone number. The holy grail. The unique ID,” he said.