Facebook's privacy gaffes continues to come. On Wednesday, the social media company said it collected the stored email lists of as many as 1.5 million users without permission. On Thursday, the company said that the number of Instagram users affected by a previously reported password storage error was in "millions", not "tens of thousands" as previously estimated.
Facebook said the email contact collection was the result of a very wrong verification technique that instructed some users to provide the password for the email address associated with their account if they wanted to continue using Facebook. Security experts criticized the exercise almost unanimously, and Facebook dropped it as soon as it was reported.
In a statement issued to journalists, Facebook wrote:
Earlier this month, we stopped offering email password verification as an option for people confirming their account when they sign up for Facebook for the first time. When we looked at the steps people went through to confirm their accounts, we found that in some cases people's email contacts were also uploaded to Facebook when they created their account. We estimate that up to 1.5 million person's email contacts may have been uploaded. These contacts were not shared with anyone and we delete them. We've solved the underlying issue and alert people where the contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.
Business Insider first reported the harvest of the email contacts. When users gave their passwords to Facebook, the publication said that they received a message stating that Facebook imported their contacts. The collection happened without asking for permission first.
While Facebook's statement referred to the e-mail confirmation step as an "alternative", the language displayed in a tweeted screen of the message (right) said to the users: "To continue using Facebook, You must verify your email address. "Many users think it could be forgiven if they were to deliver their password, was a condition of using the social media site. A Facebook representative told Ars that these users could also have confirmed their accounts with a code sent to the phone or a link sent to their email if they clicked on the "need help" button in the popup window.
Facebook has said that it did not store the passwords, but in another Facebook privacy mix revealed last month, the company confirmed that it erroneously stored hundreds of millions of user passwords in plain text rather than cryptographic hash. Hashes are long rods of random appearance text generated by sending a password, message or file through an algorithm. Because the hashes can't be cryptographically reversed, security experts say they're the only safe way to store them.
At the end of March, Facebook said that the plaintext password error hit hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users. The Facebook description was updated on Thursday to say that the number of Instagram accounts affected was much higher.
"Since this post was published, we discovered that several logins of Instagram passwords were stored in a readable format," said Thursday's update. "We are now considering that this issue has affected millions of Instagram users. We will notify these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or unlawfully available. "
Facebook has become the buffet of a number of privacy gaffes since January 2018. It was then that a New York Times reveal revealed that the political firm Cambridge Analytica erroneously harvested tens of millions of Facebook users data. Two months later, the report showed that the community gathered metadata from many years of conversations and text users created or sent with Android phones.
Last year, CEO Mark Zuckerberg said he planned to rethink the site he founded as a privacy service.