One of Britney Spears’ earliest hit is almost comically appropriate here with some modification. Oops, Facebook did it again and, this time, it probably wouldn’t have admitted to it if it weren’t caught red-handed. Apparently, the social networking titan has been asking new users to enter not only their email address but also the password to said email address for the sake of verification. What it did, however, was actually getting the user’s email contacts and uploading them to its own servers without warning them or asking their permission.
This was actually a feature, not a bug. Or at least in the earlier days of Facebook before 2016. It used that system to verify users’ identity and then ask them to voluntarily give Facebook a copy of their email contacts, often without those contacts knowing what you were doing.
Let it be known that email service providers and security experts sternly advice against giving anyone your email password, much less someone you don’t trust. Much less Facebook. Most other services that require email verification only ask for your email address to send you a verification link. They never ask for your email password. Not unless they had something less innocent in mind.
As of May 2016, however, Facebook says it no longer uses that system to verify new user sign-ups and it removed the text warning users that their email contacts were being uploaded. What it forgot to remove, however, was the system that asked the user for their email password and uploaded their email contacts to Facebook servers. The company admits that in almost the three years that system was “unintentionally” left running, Facebook amassed email contacts from 1.5 million users.
Considering each user has at least a dozen email contacts, some even a hundred, that means at least 18 to 150 million email addresses for Facebook to use for ad targeting and whatnot. Good thing then that it didn’t read those users’ actual emails. Or so Facebook claims.
The beleaguered company is now reaching out to those 1.5 million or so affected users to inform them that, oops, they violated their privacy again. Those email addresses are also promised to be deleted from Facebook’s servers now that they have served their purpose.