Facebook has asked some users for their email passwords, then 1.5 million "inadvertently downloaded" contact lists without consent

Earlier this month, Facebook admitted that it was asking some users who subscribed on their computer to use email addresses that did not support the open OAuth standard to provide them with passwords. their e-mail accounts, with options to avoid having it hidden in the "Need help?" "Submenu. Now, the social media giant has admitted that he has "unintentionally" downloaded contact lists of 1.5 million such email accounts on Facebook, without the consent or knowledge of their owners.

Bennett Cyphers, security expert for the Electronic Frontier Foundation, told Business Insider earlier this month that asking users to return account credentials as part of a process to help them. registration is "indistinguishable from a phishing attack". it automatically pulls the contact lists from about 1.5 million email accounts that it has been allowed to access through this method without ever asking for permission. Again, this is exactly the type of thing you would expect from a phishing attack.

Facebook informed Gizmodo by e-mail that in May 2016, he had revised the registration process, which had initially requested the affected users permission to download contact lists. This change removed the inclusion prompt, although the company did not realize that the underlying functionality was still working in some cases. It seems that the only way a user would necessarily be aware of this before account activation would be to detect a pop-up window stating that Facebook "was importing contacts".

Facebook said that it had never seen the content of any email, according to Business Insider.

A spokesman told Gizmodo by telephone earlier this month that "the intent of this option was simply to confirm the account." However, Facebook confirmed to Gizmodo on Wednesday that contact information was used for suggestions from friends Can know ") and improve the ads (in other words, for targeted advertising purposes).

A Facebook spokesman also told Gizmodo that a screenshot of the initial registration prompt was not available.

In a statement, the company wrote that it would notify the 1.5 million users concerned and delete the contacts that it would have obtained without his knowledge or without their consent:

Earlier this month, we had stopped offering email password verification as an option to people who checked their account when they first registered for Facebook. When we looked at the steps people took to check their accounts, we found that in some cases, those people's email contacts were also unintentionally downloaded to Facebook when they created their accounts. We estimate that nearly 1.5 million email contacts have been downloaded. These contacts have not been shared with anyone and we are deleting them. We solved the underlying problem and warn the people whose contacts were imported. Users can also view and manage the contacts that they share with Facebook in their settings.

Notably, the Daily Beast had initially confirmed that some users were asked to provide email passwords "using a disposable webmail address and connecting via a VPN to Romania". Romania is a Member State of the European Union which has implemented the extensive program of protection of personal data. Regulation (requiring explicit consent, given freely and knowingly to process personal data) last year.

In recent memory, it was the umpteenth time Facebook discovered that its users might not like it. Recent company controversies include the use of two-factor authentication as a pretext for obtaining phone numbers for targeted notifications and advertisements, the use of pseudo-VPN applications to extract a lot of information about user habits in mobile telephony. Text metadata and storing passwords in plain text.

[Business Insider]