When will Facebook stop disappointing its users with data privacy issues? The platform has now been spotted collecting over 15 lakh email contacts of new users without their knowledge or consent.

A report from Business Insider confirmed that Facebook has been storing email addresses in the contact list of users since May 2016. It affects users who have less popular email domains such as GX or Yandex. As these domains don’t have OAuth standard user authentication system, Facebook used to manually verify user identities. However even after the multi-step process, they have to go through, Facebook also asked these users to enter the email account passwords in a text-box within Facebook. After that, they received a message telling that Facebook is importing contacts. What’s alarming is that Facebook didn’t mention this before or after entering the password. This implies that Facebook, AGAIN, was gathering data without user content.

This was first reported by Mike Edward Moras who is a popular cybersecurity software professional. Mike took it to a Twitter thread and informed that Facebook did not mention the other email authentication way these users would’ve used.

Some researchers have been monitoring this phishing-like approach from March. According to a report from EFF, researchers were unsure about what kind of data Facebook is stealing.


However, a spokesperson from Facebook confirmed to Business Insider that the company collected information of 1.5million users ‘unintentionally’. The guy from the company told that the contacts were just used to enhance Facebook’s friend recommendations feature. Until now there is no news about ad-targeting or data-brokers on these users.

The spokesperson said, “Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account. “These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.” they further added.

Facebook Stored Millions of Passwords Without Encryption

The company didn’t stop here. While their security system always comes under the sword, this term Facebook stupidly stored millions of Instagram user passwords without encryption (means plain text). The company claimed that this issue had previously affected “tens of thousands” of users.

On a March 21, the company came up with an announcement quoted “Keeping Passwords Secure”. During a “routine security review,” according to the social media giant, developers found some readable data which later turned out to be some Instagram password. The passwords were accessible to Facebook employees. The company failed to find any evidence of improper access or leak of these passwords.

Facebook choose the busiest news day to inform something that important. While Muller report was all over the news yesterday, Facebook gave the following message:

“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”

The two incidents clearly show that Facebook still needs a robust firewall and attentiveness to its users before things get bad. They might get away with it this time.