Two security issues disclosed by Facebook over the past month are worse than first thought, adding to a harrowing series of data-handling mishaps by the social network.
In March Facebook disclosed that it had been storing plain-text passwords for hundreds of millions of users going back to 2012.
Security writer Brian Krebs first reported, that the passwords were searchable, but not improperly accessed, by Facebook employees. Facebook plans to notify those newly affected users. It was first thought the issue only affected tens of thousands of Instagram users.
Email Contacts Issue Affects 1.5 Million
On April 3, an second issue occurred where Facebook’s former practice of asking some new users for their email passwords as part of its signup process.
The practice, was implemented to help people find their friends, immediately raised eyebrows because it could increase the chances that an email account could be compromised, through either a mishandling of data or phishing attacks.
It was first highlighted by Twitter user @originalesushi and appeared to only apply to people who signed up using email domains from certain providers, such as Yandex and GMX, Business Insider reported.
Facebook told Information Security Media Group on Thursday that it unintentionally uploaded the email contact lists for 1.5 million new users since May 2016. If users didn’t enter the password, they couldn’t create accounts. But if they did, users were not notified their email contacts would be sent to Facebook.
Prior to May 2016, Facebook asked some users for their email password as part of an identity check, but gave people the option if they wanted to upload their email contacts.
Facebook states they will delete the email contacts data for the 1.5 million users. The email contacts data was used for targeted advertising, friend recommendations and building webs of connections, Business Insider reported.
Facebook ended the email password verification practice earlier this month.
Plain-Text Password Storage
A report released n March 21 described how plain-text passwords had been stored for hundreds of millions of users going back to 2012.
The password storage issue affected users of Facebook Lite, the slimmed down version of the application that’s designed for users where connectivity may be challenging.
Facebook didn’t give a reason why it was storing passwords in plain text. According to Facebook, they follow industry practices for handling passwords, which means it’s only retaining a salted hash, or a cryptographic representation of a password that would be unusable if captured by an attacker.
Facebook isn’t mandating a password reset for accounts; however, they advise that users should change passwords and advised users to set a unique, strong one.
The security issues add to more headwinds for Facebook, which despite a series of scandals, data breaches, lawsuits and regulatory inquiries is nonetheless trying to convince the public it is shifting to a more privacy-centric platform.
Last month, Mark Zuckerberg acknowledged the suspicion around the move given the social network’s patchy security record.
Zuckerberg stated that he understands that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform – because frankly we don’t currently have a strong reputation for building privacy protective services, and we’ve historically focused on tools for more open sharing.
An ongoing investigation by the Federal Trade Commission into the Cambridge Analytica scandal and whether Facebook violated a 2011 settlement. The settlement put Facebook on a monitoring regime aimed to ensuring users’ consent was gained before sharing their data.
Furthermore, an article in The Washington Post reported last Thursday that the FTC may be mulling whether to hold CEO Mark Zuckerberg more accountable for the site’s data handling mishaps, a move that could send a strong signal about executive responsibility for data lapses.