Facebook demands new users hand over their email passwords

Facebook under fire after firm is caught demanding new users hand over their email passwords in exchange for harvesting their contacts without their consent

  • Some users who attempt to sign up are required to give their email password
  • The firm also appears to be harvesting their contacts after they provide the info
  • Facebook now says it will no longer ask users to provide their email passwords 
  • Security experts called the move ‘sleazy’ and compared it to a phishing attack
  • e-mail



Facebook is under fire after it was revealed that the social media giant asks new users to provide their email passwords when they sign up to create an account.

The site prompts some new users to give up the highly sensitive information in order to login, catching the attention of security experts, some of which say the practice is no different than a phishing attack.

What’s worse, after users provide their email password, Facebook appears to be harvesting users’ contacts to store in its databases without their consent, according to Business Insider.  

It comes mere weeks after Facebook was found to have stored hundreds of millions of users’ passwords in plain text, marking just the latest example of Facebook’s numerous privacy bungles. 

Scroll down for video 

Facebook is under fire after it was revealed that the social media giant asks new users to provide their email passwords when they sign up to create an account

The findings were first reported by The Daily Beast.  

When some users attempt to login, they’re met with a notice on the site that reads: ‘To continue using Facebook, you’ll need to confirm your email.’

The notice then has an empty field for entering their email password below the email address they used to register on the site. 

A disclaimer on the notice then states: ‘Facebook won’t store your password.’ 

The notice appears to show up only for users who sign up with certain email providers, such as Russian internet firm Yandex and GMX Mail.

  • Older women going back to work after maternity leave are… GM, Ford and Toyota join forces on AI consortium for… The end of annoying WhatsApp groups: Update stops people… YouTube bosses deliberately IGNORED requests from more than…

Share this article

Twitter user @originalesushi first discovered the password entry form over the weekend. It requires some new users to provide their email password in order to verify their identity

Users with email addresses from Gmail, Outlook and other services aren’t being shown the notice because those providers use the OAuth protocol, which authenticates a user’s identity without requiring them to supply their password. 

Once users provide their email password, Facebook shows a pop-up that says the site is ‘importing contacts.’ 

However, users aren’t given the option of consenting to this, Business Insider noted. 

It’s unclear whether or not the site pulls any contact information or where it’s stored. 

After the practice was discovered, Facebook announced that it would no longer give the option of providing an email password to login.

Facebook said only a ‘small number of users’ were asked to provide their email password upon logging in. 

‘We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,’ a Facebook spokesperson told the Daily Beast.

The firm said users can also authenticate their account by having a code sent to their phone or a link sent to their email by clicking on the ‘Need help?’ button in the bottom left corner of the pop-up.  

Twitter user @originalesushi first discovered the password entry form over the weekend. 

‘By going down that road, you’re practically fishing for passwords you are not supposed to know,’ the user wrote. 

Security experts said the practice was concerning because it encouraged users to hand over private information that should only be shared in very limited circumstances. 

Moreover, should Facebook ever experience a data breach the likes of those it has experienced previously, users email passwords could very well be up for grabs by hackers. 

‘That’s beyond sketchy,’ security consultant Jake Williams told the Daily Beast. 

‘They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.’  

Another security expert compared Facebook’s request of email passwords to a phishing attack. 

‘This is bad on so many levels,’ Bennett Cyphers, a security researcher with the Electronic Frontier Foundation, told Business Insider.

User trust in CEO Mark Zuckerberg’s Facebook has been tested time and time again as it has weathered numerous privacy scandals, notably the Cambridge Analytica debacle last year

‘It’s an absurd overreach by Facebook and a sleazy attempt to trick people to upload data about their contacts to Facebook as the price of signing up. 

‘Even when you consent to uploading contact information to Facebook, you should never have to put in your email password to do it,’ he added.

User trust in Facebook has been tested time and time again as it has weathered numerous privacy scandals.  

Just last month, security researcher Brian Krebs reported that Facebook left the passwords of 200 million to 600 million users stored in plain text.

It meant that the information was readable and searchable by more than 20,000 Facebook employees, in some cases dating as far back as 2012.

Prior to that, the firm announced in September it had been hit by its worst-ever data breach, with 50 million users’ information left exposed by an exploit in its ‘View As’ feature.   


December 2018: Facebook comes under fire after a bombshell report discovered the firm allowed over 150 companies, including Netflix, Spotify and Bing, to access unprecedented amounts of user data, such as private messages.

Some of these ‘partners’ had the ability to read, write, and delete Facebook users’ private messages and to see all participants on a thread. 

It also allowed Microsoft’s search engine, known as Bing, to see the name of all Facebook users’ friends without their consent.

Amazon was allowed to obtain users’ names and contact information through their friends, and Yahoo could view streams of friends’ posts.

As of last year, Sony, Microsoft, and Amazon could all obtain users’ email addresses through their friends.

September 2018: Facebook disclosed that it had been hit by its worst ever data breach, affecting 50 million users – including those of Facebook boss Mark Zuckerberg and COO Sheryl Sandberg.

Attackers exploited the site’s ‘View As’ feature, which lets people see what their profiles look like to other users.  

Facebook says it has found no evidence ‘so far’ that hackers broke into third-party apps after a data breach exposed 50 million users (stock image)  

The unknown attackers took advantage of a feature in the code called ‘Access Tokens,’ to take over people’s accounts, potentially giving hackers access to private messages, photos and posts – although Facebook said there was no evidence that had been done. 

The hackers also tried to harvest people’s private information, including name, sex and hometown, from Facebook’s systems.

Facebook said it doesn’t yet know if information from the affected accounts has been misused or accessed, and is working with the FBI to conduct further investigations.

However, Mark Zuckerberg assured users that passwords and credit card information was not accessed.

As a result of the breach, the firm logged roughly 90 million people out of their accounts earlier today as a security measure.

March 2018: Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy.

The disclosure has prompted government inquiries into the company’s privacy practices across the world, and fueled a ‘#deleteFacebook’ movement among consumers.

Communications firm Cambridge Analytica had offices in London, New York, Washington, as well as Brazil and Malaysia.

The company boasts it can ‘find your voters and move them to action’ through data-driven campaigns and a team that includes data scientists and behavioural psychologists.

‘Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections,’ with data on more than 230 million American voters, Cambridge Analytica claims on its website.

The company profited from a feature that meant apps could ask for permission to access your own data as well as the data of all your Facebook friends.

The data firm suspended its chief executive, Alexander Nix (pictured), after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump

This meant the company was able to mine the information of 87 million Facebook users even though just 270,000 people gave them permission to do so.

This was designed to help them create software that can predict and influence voters’ choices at the ballot box.

The data firm suspended its chief executive, Alexander Nix, after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump.

This information is said to have been used to help the Brexit campaign in the UK.

It has also suffered several previous issues.

In 2013, Facebook disclosed a software flaw that exposed 6 million users’ phone numbers and email addresses to unauthorized viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users’ profiles.  

Source: Read Full Article