Earlier this month, Facebook admitted that it was asking some users who signed up on desktop while using email addresses not supporting the OAuth open standard to give them the passwords to their email accounts—with options to avoid doing so hidden in a “Need Help?” sub-menu. Now the social media giant has admitted that yes, it did “unintentionally” upload contact lists from up to 1.5 million of those email accounts to Facebook, without their owners’ consent or knowledge.
Electronic Frontier Foundation security expert Bennett Cyphers told Business Insider earlier this month that asking users to hand over account credentials as part of a registration process is “basically indistinguishable to a phishing attack.” Per a Wednesday report in Business Insider, Facebook has now said that it automatically extracted contact lists from around 1.5 million email accounts it was given access to via this method without ever actually asking for their permission. Again, this is exactly the type of thing one would expect to see in a phishing attack.
Facebook told Gizmodo via email that in May 2016 it made a revision to the registration process, which originally asked the affected users for permission to upload contact lists. That change removed the opt-in prompt, though the company did not realize the underlying functionality was still operating in some cases. It seems that the only way a user would necessarily be aware of this prior to account activation would be if they caught a pop-up stating that Facebook is “importing contacts.”
Facebook says it never saw the contents of any emails, according to Business Insider.
A spokesperson told Gizmodo via phone earlier this month that “The intent of this option was simply to confirm the account.” However, Facebook confirmed to Gizmodo on Wednesday that the contact information was used for friend suggestions (i.e. its oft-unsettling “People You May Know” feature) and to improve ads (in other words, for targeted advertising purposes).
A Facebook spokesperson also told Gizmodo that a screenshot of the original opt-in prompt was not available.
In a statement, the company wrote that it would be notifying the 1.5 million impacted users, as well as deleting any contacts it obtained without their knowledge or consent:
Earlier this month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.
Notably, the Daily Beast originally confirmed that some users were being asked to provide email passwords by “using a disposable webmail address and connecting through a VPN in Romania.” Romania is a member state of the European Union, which implemented the sweeping General Data Privacy Regulation (requiring explicit, freely given, and informed consent to process personal data) last year.
This is the umpteenth time in recent memory that Facebook has been found to have done something its users might not appreciate. Notable recent controversies at the company have included the use two-factor authentication as a pretext to obtain phone numbers for notifications and targeted advertising, using pseudo-VPN apps to vacuum up extensive information on users’ mobile habits, seemingly obfuscating prompts to share call and text metadata, and storing passwords in plaintext.